Art.37 GDPR

GDPR Art.37: Designation of the Data Protection Officer

What This Control Requires

The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

In Plain Language

Having the right person overseeing data protection is not optional for many organisations. A DPO must be appointed in three situations: you are a public authority, your core activities involve regular and systematic monitoring of individuals on a large scale, or your core activities involve large-scale processing of special category or criminal data.

The DPO can be an internal employee or an external service provider. What matters is that they have genuine expert knowledge of data protection law and practice, and the ability to carry out the tasks outlined in Article 39. Groups of companies can share a single DPO, as long as that person is easily accessible from each establishment.

Even if you are not legally required to appoint one, many organisations do so voluntarily - and the EDPB encourages it. Be aware, though, that once you appoint a DPO (mandatory or voluntary), you must follow all the rules in Articles 37 to 39 covering independence, resources, and reporting. If you choose not to appoint one, still designate someone to own data protection compliance internally.

How to Implement

First, determine whether your organisation is legally required to appoint a DPO. Check whether you are a public authority, whether your core activities involve regular and systematic monitoring at scale (consider the number of data subjects, data volume, geographic scope, duration, and frequency), or whether you process special categories or criminal data at scale. Document your assessment and conclusion.

If a DPO is needed (or you choose to appoint one voluntarily), pick the right person. Look for expertise in national and European data protection law, a solid understanding of your processing operations and technology stack, the ability to drive a data protection culture, and strong communication skills for engaging with leadership, staff, regulators, and data subjects. Decide whether an internal hire or an external DPO service fits your situation better.

Formalise the appointment and make it visible. Publish the DPO's contact details internally and externally (including in your privacy notices). Notify your supervisory authority as required. Position the DPO so they report to the highest management level and cannot be instructed on how to exercise their tasks.

Give the DPO what they need to do the job properly. That means sufficient time (if the role is combined with other duties, ensure there are no conflicts of interest), access to all relevant processing information, a budget for training, external expertise and tooling, a support team where the workload demands it, and the authority to engage with regulators directly.

Create processes that bring the DPO into every significant data protection decision. They should be involved in DPIAs, breach responses, data subject requests, new processing activities, privacy-by-design assessments, and any other material privacy matters. Build an escalation pathway that routes data protection concerns through the DPO as standard.

Evidence Your Auditor Will Request

DPO necessity assessment documenting whether appointment is mandatory
DPO appointment documentation including qualifications and contact details
Evidence of DPO registration with the supervisory authority
Resource allocation documentation showing adequate support for the DPO role
Evidence of DPO involvement in key data protection activities (DPIAs, breach response, etc.)

Common Mistakes

DPO not appointed despite meeting the mandatory criteria under Article 37(1)
DPO lacking the required expert knowledge of data protection law and practices
DPO not provided with adequate resources or time to perform their role effectively
DPO's contact details not published to data subjects or not communicated to the supervisory authority
DPO appointed but not involved in key data protection decisions and activities

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.2	Related

Frequently Asked Questions

Can the DPO hold another role within the organisation?

Yes, but you need to watch for conflicts of interest. Any role that determines the purposes and means of processing - CEO, CFO, CTO, HR director, head of marketing - is generally incompatible with the DPO function. The person cannot be both the decision-maker and the one scrutinising those decisions.

Can we use an external DPO?

Absolutely. Article 37(6) explicitly allows it. External DPO services are a particularly good fit for smaller organisations that cannot justify a full-time hire. The same requirements around qualifications, independence, resources, and accessibility apply regardless of whether the DPO is internal or external.

What constitutes 'large scale' processing?

The GDPR does not give a hard number. The EDPB says to look at how many data subjects are involved, the volume of data, how long the processing lasts, and the geographic reach. A hospital processing patient data is a classic example of large scale. A solo GP practice is not. Use those reference points and apply common sense.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment