Who can and who does not have to designate a DPO?

Art. 37 para. 1 of the General Data Protection Regulation provides for the obligation to designate a data protection officer for controllers and processors where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

2. core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

In the interpretation of the notions used in Art. 37 para. 1 letters b and c of the GDPR („core activities”, „regular and systematic monitoring” and „on a large scale”) the recitals of the GDPR and Article 29 Working Party’s Guidelines on Data Protection Officers may be useful.