Learn when a Data Protection Officer is legally required under GDPR. Understand Article 37 criteria, SMEs obligations, and compliance best practices.
One of the most common questions organisations ask when structuring their GDPR compliance is whether appointing a Data Protection Officer is legally required. The mandatory DPO question comes up early — and the answer is rarely straightforward. It depends on specific criteria defined by the GDPR, and neither company size nor industry sector alone is enough to determine your obligation.
This article gives you a clear, practical framework to assess your situation: when a DPO is legally mandatory, when appointing one is strongly recommended even without a formal obligation, and what your next concrete steps should be.
For a complete overview of the role, required competencies, and training programmes available, read our guide on Data Protection Officer training.
A Data Protection Officer — referred to in French as the délégué à la protection des données — is the person responsible for ensuring that an organisation's personal data processing activities comply with GDPR requirements. The DPO advises the organisation on its obligations, monitors compliance across all processing activities, supports the completion of Data Protection Impact Assessments (DPIAs), and acts as the official point of contact with the supervisory authority and with data subjects.
What sets the DPO apart from a standard legal advisor is the breadth of the role. A Data Protection Officer operates at the intersection of compliance, IT, human resources, marketing, and senior management. That cross-functional positioning is precisely what makes mandatory DPO designation a strategic lever — not merely a regulatory checkbox.
The mandatory DPO GDPR framework is built around three specific situations, defined in Article 37 of the regulation. If your organisation falls into any one of them, appointing a Data Protection Officer is a legal requirement — not an option.
All public authorities and public bodies are required to designate a DPO, with the sole exception of courts acting in their judicial capacity. This covers government ministries and central administrations, municipalities and local authorities, public institutions, public hospitals, and universities. For these organisations, the obligation applies automatically, regardless of the volume or nature of the data processing carried out.
A mandatory DPO is also required when an organisation's core activities involve large-scale regular and systematic monitoring of individuals. This typically applies to banks and financial institutions, insurance companies, telecommunications providers, digital platforms and e-commerce operators, and any organisation whose business model relies on behavioural profiling, credit scoring, or continuous large-scale monitoring of customers or users. The key criterion here is not the size of the organisation, but the centrality of individual monitoring to its core operations.
The DPO obligation also applies when core activities involve large-scale processing of sensitive personal data — or data relating to criminal convictions and offences. Sensitive data under the GDPR includes health data, biometric and genetic data, political opinions, religious or philosophical beliefs, trade union membership, data concerning sexual life or sexual orientation, and data revealing racial or ethnic origin.
The CNIL confirms that these three categories represent the main situations in which DPO designation is mandatory. For the full regulatory detail, refer to the official CNIL page on the DPO.
The right approach is to analyse what your organisation actually does with personal data — not your headcount or legal status. The following self-assessment framework helps you structure that analysis:
|
Question to Consider |
Why It Matters |
|
Do we process personal data on a regular basis? |
GDPR obligations apply as soon as personal data is being processed. |
|
Is this processing central to our core activities? |
The mandatory DPO obligation applies to core activities, not incidental processing. |
|
Is the processing carried out at large scale? |
Volume, duration, geographic scope, and number of individuals affected all count. |
|
Do we handle sensitive personal data? |
Sensitive data significantly increases your GDPR compliance obligations. |
|
Do we carry out monitoring, profiling, or scoring? |
These practices may constitute regular and systematic monitoring under the GDPR. |
This analysis determines whether DPO designation is a legal obligation or a governance best practice for your organisation. If any uncertainty remains after completing this assessment, consulting a GDPR compliance specialist or contacting your national supervisory authority directly is strongly advisable.
Being a small or medium-sized enterprise does not automatically exempt an organisation from the mandatory DPO requirement. The GDPR sets no employee threshold: what matters is the nature, scale, and purpose of the data processing activities carried out — not the number of staff or annual turnover.
In practical terms, a small digital health platform processing medical data at scale will very likely be subject to the obligation, while a local retailer collecting only basic customer contact details probably will not. An SME may therefore be required to appoint a DPO if its core activities involve sensitive, regular, or large-scale systematic processing. The right question is never "how large are we?" but "what are we actually doing with personal data, and at what scale?"
The absence of a legal obligation does not mean the absence of value. The CNIL actively encourages organisations to designate a DPO even when it is not formally required, because doing so strengthens internal accountability, improves documentation of processing activities, makes handling data subject requests more efficient, and reduces the risk of non-compliance over time.
There is, however, an important nuance to keep in mind. If your organisation voluntarily appoints a DPO, it must comply with the GDPR requirements attached to that role — including independence in carrying out their tasks, access to sufficient resources, protection from instructions regarding their duties, and a direct reporting line to the highest level of management. These obligations are detailed in Chapter IV of the GDPR as annotated by the CNIL. Appointing a DPO without giving them the means to act effectively would expose the organisation to greater regulatory risk than not designating one at all.
The GDPR explicitly permits a DPO to be either a member of staff or an external service provider engaged under a service contract, as set out in Article 37. Both options are valid — but they suit different organisational profiles.
An internal DPO is generally the right fit for organisations that already have established data protection expertise, whose processing activities are complex and ongoing, and that can genuinely guarantee the independence of the role without conflict of interest. This is often the case for larger organisations with mature GDPR governance structures.
An external DPO is typically better suited to organisations that lack sufficient in-house expertise, that need specialist support on a flexible basis, or for which independence from operational decisions is easier to guarantee through a third party. For most SMEs beginning their GDPR compliance journey, the external DPO is often the most pragmatic and cost-effective entry point.
The right choice depends on the organisation's risk profile, GDPR maturity, and available internal competencies. Whether internal or external, the DPO role must be exercised free from hierarchical pressure on compliance decisions — that is a non-negotiable GDPR requirement.
An effective Data Protection Officer combines legal expertise, technical knowledge, and strong interpersonal skills. They must have a thorough command of the GDPR and applicable data protection law, be capable of conducting compliance audits, carrying out DPIAs, and assessing the risks associated with processing activities. Beyond regulatory knowledge, a strong DPO must also communicate clearly with senior management, operational teams, and supervisory authorities alike. It is this combination of technical depth and organisational influence that defines a truly effective Data Protection Officer.
To identify the right training programme in France and understand the competencies required at each level, read our complete guide on Data Protection Officer training. Professionals looking to move into this role will also find practical guidance in our article on how to become a Data Protection Officer in 2026.
The answer always comes back to what your organisation actually does with personal data. A mandatory DPO is required for public authorities and public bodies, for organisations whose core activities involve large-scale regular and systematic monitoring of individuals, and for those that process sensitive personal data at scale. In all other cases, appointing a DPO remains a sound governance decision — provided the role is given the independence and resources to function effectively.
If your organisation processes personal data on a regular or sensitive basis, the next step is clear: assess your processing activities, clarify your obligations, and ensure that the people responsible for GDPR compliance have the knowledge and tools they need. The earlier that work begins, the more durably it protects your organisation.
Ready to take the next step? Whether you are looking to step into the DPO role yourself or build stronger GDPR expertise within your team, our certified Data Protection Officer training programme gives you the legal foundations, practical tools, and professional recognition to lead compliance with confidence.
Explore the DPO Training Programme →
No. The obligation depends on the nature and scale of data processing activities, not on company size or sector. A large enterprise with limited, non-sensitive processing may not be affected, while an SME processing health data at scale will be.
Yes. If its core activities involve large-scale monitoring or large-scale processing of sensitive data, an SME is subject to the same mandatory DPO obligation as any large organisation. Size is never the determining factor.
Yes. The GDPR explicitly permits an external DPO — whether an independent consultant or a specialist firm — provided the role meets the regulation's requirements on expertise, independence, and access to sufficient resources. For many SMEs, this is the most accessible path to structured GDPR compliance.
Discover why ESG strategy is essential for French businesses. Learn about regulations, board accountability, ESG risks, and reporting requirements for sustainable growth.
Learn the 8 mandatory Sapin II requirements for French organizations, from risk mapping and third-party due diligence to anti-corruption policies and audits.
Data Protection Officers (DPOs) play a pivotal role in ensuring organizations comply with data protection laws, particularly the General Data Protection Regulation (GDPR). As privacy...