The General Data Protection Regulation (GDPR) reshaped how organizations across the European Union and beyond manage personal data. Among its most misunderstood provisions is Article 37, which defines when an organization must appoint a Data Protection Officer (DPO).
Many companies either over-appoint a DPO “just in case” or, more dangerously, assume they are exempt when they are not. Article 37 is not about company size or revenue—it is about how and why personal data is processed. This article explains Article 37 in plain language, breaks down its legal logic, and illustrates compliance through five realistic examples.
What Is GDPR Article 37?
Article 37 GDPR establishes the obligation to designate a Data Protection Officer (DPO) in specific circumstances. The DPO acts as an internal (or external) expert responsible for overseeing data protection compliance, advising the organization, and serving as a point of contact with supervisory authorities.
Importantly, Article 37 does not require every organization to appoint a DPO. Instead, it defines three clear triggers that make appointment mandatory.
The Three Mandatory Triggers Under Article 37
1. Processing Is Carried Out by a Public Authority or Body
Any public authority or public body must appoint a DPO, except for courts acting in their judicial capacity.
This includes:
-
Government ministries
-
Municipal administrations
-
Public hospitals
-
State universities
-
Public employment agencies
The logic is simple: public bodies routinely process large volumes of sensitive personal data, often without the individual’s ability to opt out.
2. Core Activities Require Regular and Systematic Monitoring of Individuals at Scale
This trigger causes the most confusion.
A DPO is mandatory when:
-
Monitoring individuals is a core activity (not incidental)
-
Monitoring is regular and systematic
-
Monitoring occurs on a large scale
Regular and systematic monitoring includes:
-
Behavioral tracking
-
Profiling
-
Location monitoring
-
Online tracking via cookies or devices
-
Credit scoring
-
Surveillance systems
Core activity means the processing is essential to the business model—not a support function like payroll or HR.
3. Core Activities Involve Large-Scale Processing of Special Category Data
Special category data includes:
-
Health data
-
Biometric data
-
Genetic data
-
Religious beliefs
-
Political opinions
-
Sexual orientation
-
Trade union membership
If processing this data at large scale is central to what the organization does, a DPO is mandatory.
What “Core Activities” Really Means in Practice
A frequent mistake is assuming that any data processing triggers Article 37. GDPR is more nuanced.
Core activities are:
-
Inextricably linked to the organization’s purpose
-
Essential to achieving business objectives
-
Impossible to remove without changing the nature of the service
Not core activities:
-
Payroll processing
-
Internal IT logs
-
Employee HR records (unless HR outsourcing is the business itself)
For example, a hospital’s core activity is patient treatment, which requires processing health data. Payroll is necessary, but not core.
What Does “Large-Scale” Mean?
GDPR intentionally avoids strict numerical thresholds. Instead, regulators assess scale based on:
-
Number of data subjects
-
Volume of data
-
Duration of processing
-
Geographic scope
Large-scale processing usually involves:
-
Thousands or millions of individuals
-
Continuous or recurring processing
-
Multi-regional or national reach
Small clinics, solo practitioners, or local professionals may fall outside large-scale processing—but platforms, networks, and centralized services rarely do.
Must the DPO Be an Employee?
No.
Article 37 explicitly allows:
-
Internal DPOs (employees)
-
External DPOs (outsourced professionals or firms)
However, the DPO must:
-
Have expert knowledge of data protection law
-
Operate independently
-
Report to top management
-
Have no conflict of interest
For example, a Head of IT or Marketing Director is usually not suitable as a DPO due to conflicts between operational goals and compliance oversight.
Consequences of Failing to Appoint a Required DPO
Failure to appoint a DPO when required constitutes direct GDPR non-compliance.
Possible consequences include:
-
Administrative fines
-
Enforcement orders
-
Mandatory audits
-
Increased liability in case of data breaches
-
Reputational damage
Regulators frequently treat the absence of a required DPO as an aggravating factor when assessing penalties.
Five Practical Examples of GDPR Article 37 in Action
Example 1: Public Hospital Network
A regional hospital network processes:
-
Patient medical records
-
Diagnostic imaging
-
Genetic test results
-
Staff health data
This is a public body conducting large-scale processing of sensitive health data as a core activity.
Result: A DPO is mandatory under both trigger #1 and #3.
Example 2: Behavioral Advertising Platform
An ad-tech company tracks:
-
User browsing behavior
-
Device identifiers
-
Location data
-
Purchase intent signals
Monitoring is:
-
Systematic
-
Continuous
-
Central to revenue generation
-
Conducted across millions of users
Result: Mandatory DPO under trigger #2 (regular and systematic monitoring at scale).
Example 3: Private Medical Diagnostics Laboratory
A private lab performs blood tests and diagnostics for hospitals and clinics nationwide. It processes health data daily for thousands of patients.
Even though it is a private company, its core activity is large-scale processing of special category data.
Result: Mandatory DPO under trigger #3.
Example 4: Small Accounting Firm (No DPO Required)
A local accounting firm with:
-
6 employees
-
120 clients
-
Occasional processing of personal identification data
Processing is limited in scale and not based on monitoring or sensitive data at scale.
Result: No mandatory DPO under Article 37.
However, GDPR obligations still apply—just not the DPO requirement.
Example 5: SaaS HR Analytics Platform
An HR analytics SaaS platform processes:
-
Employee performance data
-
Absence records
-
Productivity metrics
-
Behavioral analysis
Clients include multinational companies, and processing is continuous and central to the service.
Even if health data is limited, systematic monitoring of individuals at scale applies.
Result: Mandatory DPO under trigger #2.
Common Misconceptions About Article 37
“We’re too small to need a DPO”
False. Size is not decisive—processing nature is.
“We don’t monitor users intentionally”
Monitoring includes indirect tracking, analytics, profiling, and automated assessment.
“We appointed someone unofficially”
A DPO must be formally designated, documented, and empowered.
“Outsourcing removes responsibility”
Outsourcing is allowed, but responsibility remains with the controller.
Best Practices for Article 37 Compliance
Organizations subject to Article 37 should:
-
Document the reasoning for appointing (or not appointing) a DPO
-
Define DPO responsibilities clearly
-
Ensure independence and direct access to leadership
-
Publish DPO contact details
-
Involve the DPO early in new processing initiatives
Even organizations not legally required to appoint a DPO may benefit from a voluntary appointment, especially in high-risk processing environments.
Final Thoughts: Why Article 37 Matters Strategically
GDPR Article 37 is not merely a formal requirement—it is a risk-management mechanism. The DPO serves as an internal safeguard against regulatory exposure, operational blind spots, and reputational damage.
Organizations that understand and apply Article 37 correctly are not just compliant—they are better prepared for audits, breaches, and evolving regulatory expectations.
In practice, appointing the right DPO often costs far less than not having one when the law requires it.