GDPR DPO Designation: Article 37 Requirements Explained

Under GDPR Article 37, a Data Protection Officer must be designated whenever an organization is a public authority, carries out large-scale systematic monitoring, or processes sensitive data at scale. Failure to designate a DPO when required can result in fines of up to EUR 10 million or 2% of global annual turnover.

In January 2024, the EDPB published its coordinated enforcement report on DPO designation and position, based on 17,490 responses from organizations and DPOs across the EEA. The report identified seven recurring areas of non-compliance, including insufficient resources, conflicts of interest, and lack of involvement in organizational decision-making.

When Is a DPO Mandatory Under GDPR?

What Are the Three Mandatory Cases?

Article 37 of the GDPR requires the designation of a DPO in three specific situations:

1. Public authorities or bodies — All government entities and organizations governed by public law must appoint a DPO, except courts acting in their judicial capacity.
2. Large-scale systematic monitoring — Organizations whose core activities require regular and systematic monitoring of data subjects on a large scale, such as online behavior tracking, location tracking, or loyalty programs.
3. Large-scale processing of sensitive data — Organizations whose core activities involve processing special categories of data under Article 9 (health, biometric, racial or ethnic origin, political opinions, religious beliefs) or criminal conviction data under Article 10.

The term “large scale” is not precisely defined in the GDPR. The Article 29 Working Party guidelines consider factors including the number of data subjects, the volume of data, the geographical extent, and the duration of the processing activity. A hospital processing patient records is considered large scale; a single physician’s practice generally is not.

The “core activities” criterion is also important. It refers to the primary business operations of the controller or processor, not ancillary functions. For example, payroll processing is ancillary for most organizations and does not trigger a mandatory DPO requirement — but for an outsourced payroll provider, it is the core activity.

When Should You Appoint a DPO Even If Not Required?

Beyond mandatory cases, a voluntary appointment is advisable for healthcare providers managing patient records, financial institutions processing transaction data, ed-tech platforms handling student data, and any organization with more than 250 employees processing personal data regularly.

In 2025, the Polish supervisory authority fined a public entity EUR 5,814 specifically for failing to designate a DPO and failing to publish the DPO’s contact details — confirming that even small administrative bodies are subject to enforcement. In Austria, a company was fined EUR 5,000 for appointing its managing director as DPO, creating a conflict of interest with no safeguards in place.

How to Designate a DPO: The Process

Step 1: Assess Whether Designation Is Required

Analyze your data processing activities against the three mandatory criteria. Document this assessment — regulators expect written justification of the decision, whether or not a DPO is appointed. If the processing involves special categories of data or systematic monitoring, designation is almost certainly required.

Step 2: Define the Role and Select a Candidate

The GDPR requires that the DPO be designated on the basis of “professional qualities and, in particular, expert knowledge of data protection law and practices” (Article 37(5)). The DPO can be an employee or an external service provider under contract (Article 37(6)). For a detailed comparison between internal and external options, see our guide on DPO or compliance officer.

Key requirements for the role:

• Expert knowledge of GDPR and relevant national data protection laws
• Understanding of the organization’s data processing operations and IT infrastructure
• Ability to act independently without instructions on how to exercise their tasks
• Direct reporting line to the highest level of management (Article 38(3))

A group of undertakings may appoint a single DPO, provided that the DPO is easily accessible from each establishment (Article 37(2)).

Step 3: Formalize and Notify

The appointment must be formalized in writing, with a clear job description specifying duties, reporting lines, and scope of authority. The organization must then publish the DPO’s contact details and communicate them to the relevant supervisory authority (Article 37(7)). In France, this notification is done online through the CNIL.

Internal vs. External DPO: How to Choose?

An internal DPO brings deep organizational knowledge and direct access to teams, and is typically more cost-effective for larger organizations. However, the EDPB’s 2024 enforcement report flagged that internal DPOs frequently face conflicts of interest — particularly when they also hold IT management, HR, or compliance roles.

An external DPO offers specialized expertise and objectivity. This option suits organizations without in-house data protection expertise, or where the volume of processing does not justify a full-time position. The 2024 EDPB report found that external DPOs sometimes lack sufficient access to the organization’s processing operations, reducing their effectiveness.

Regardless of the choice, Article 38 requires that the DPO:

• Receives no instructions regarding the exercise of their tasks
• Cannot be dismissed or penalized for performing their duties
• Has adequate resources, including staff, budget, and access to training
• Is involved in all issues relating to the protection of personal data from the earliest stage

The Polish DPA’s EUR 132,000 fine against Toyota Bank Polska in 2025 — for improper DPO positioning and insufficient independence — demonstrates that regulators enforce these requirements actively.

What the EDPB Found: Seven Areas of DPO Non-Compliance

The EDPB’s January 2024 report, based on coordinated enforcement across 25 EEA supervisory authorities, identified persistent structural failures in how organizations handle DPO designation:

1. Absence of designation — Organizations subject to mandatory requirements had not appointed a DPO at all.
2. Insufficient resources — DPOs lacked budget, staff, and time to fulfill their duties.
3. Insufficient training — DPOs were not provided with ongoing education on legal and technical developments.
4. Tasks not properly assigned — Organizations did not explicitly entrust DPOs with the tasks required under Article 39.
5. Conflicts of interest — DPOs held concurrent roles (IT director, head of compliance, legal counsel) that compromised their independence.
6. Lack of reporting to management — DPOs did not have direct access to senior leadership as required by Article 38(3).
7. Need for additional DPA guidance — Both organizations and DPOs requested clearer practical guidance from supervisory authorities.

The report concluded that “DPO tasks may not always be properly assigned” and highlighted “insufficient resources allocated to DPOs, insufficient expert knowledge, and risks of conflicts of interests” as the most common findings across the EEA. For more on how these issues relate to the DPO’s organizational placement, see our article on the position of the DPO.

Organizations can use compliance platforms such as Legiscope to automate GDPR documentation, training, and audit tracking — reducing the resource burden on DPOs while maintaining compliance.

Disclaimer: This article provides general guidance on GDPR DPO designation and does not constitute legal advice. Consult a qualified data protection professional for advice specific to your situation.

Conclusion

Designating a DPO is not a formality — it is a structural compliance requirement with concrete enforcement consequences. The EDPB’s coordinated enforcement has made clear that designation alone is insufficient: the DPO must be properly resourced, independent, and involved in all data protection matters from the earliest stage.

Organizations subject to the mandatory requirement should treat DPO designation as a priority and document their compliance with Articles 37, 38, and 39. Those not subject to the requirement should document why they concluded a DPO is not necessary — a gap that regulators increasingly scrutinize. Organizations deploying high-risk AI systems should also note that the EU AI Act, whose high-risk obligations apply from August 2, 2026, requires deployers under Article 26 to designate compliance officers who will need to coordinate closely with the DPO on AI-related data protection matters.

The EDPB’s 2026 coordinated enforcement action now focuses on transparency obligations (Articles 12-14), but the lessons from the 2023 DPO action remain directly applicable. Organizations that addressed the seven findings from that report are better positioned for the transparency scrutiny ahead.

Last reviewed: March 2026