A rticle 37 sets out the criteria for when a Data Protection Officer (DPO) is required as follows:
The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Accordingly, most SMEs will not need to appoint a Data Protection Officer. Should your business meet one of the cases above and need a DPO there's lots more to read about the requirements and the DPO's duties in Articles 37, 38 and 39