When Is A Data Protection Officer (DPO) Required?

  • Home /
  • GDPR Guide /
  • When Is A Data Protection Officer (DPO) Required?

A rticle 37 sets out the criteria for when a Data Protection Officer (DPO) is required as follows:

The controller and the processor shall designate a data protection officer in any case where:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Article 37 - Designation of the data protection officer GDPR

Accordingly, most SMEs will not need to appoint a Data Protection Officer. Should your business meet one of the cases above and need a DPO there's lots more to read about the requirements and the DPO's duties in Articles 37, 38 and 39

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646