GDPR Guide 8 min read Last updated: June 2025

When Do You Need a DPO Under GDPR? A Complete Guide for Multi-Entity Organizations

Updated 2026-05-18
Key Takeaways: GDPR Article 37 mandates a DPO in three scenarios — public authorities, large-scale monitoring, and special-category data processing.

Article 37 of the GDPR mandates a Data Protection Officer in three specific scenarios , but for organizations operating across subsidiaries and jurisdictions, the real question isn't if you need one, it's how many and how they coordinate. Here's everything you need to know.

Download the Free DPO Requirement Checklist See How Priverion Supports DPOs

No credit card required. Checklist based on EDPB and WP29 guidance.

Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
The Real-World Complexity

The DPO Question Sounds Simple . Until You're Managing 12 Entities Across 6 Countries

Most articles give you a textbook answer. But if you're searching this question, your situation probably isn't textbook. Here are the challenges that make DPO requirements genuinely difficult for multi-entity organizations.

47

Spreadsheets used by one 12-subsidiary enterprise to manage GDPR compliance before switching to Priverion

Subsidiaries Triggering Independent Obligations

A parent company in Germany with subsidiaries in France, Italy, and Portugal may find each entity independently triggers DPO requirements under Article 37(1). Your healthcare subsidiary processes special category data. Your marketing subsidiary runs large-scale behavioral profiling. Each creates its own obligation , and each needs visibility the DPO often doesn't have.

Based on Priverion founding insight , observed across multi-subsidiary enterprises

60%

Compliance admin time Aircraft manufacturer spent on manual ROPA updates before automation , first 6 months

The "Easily Accessible" Trap for Group DPOs

Article 37(2) allows a single group DPO , but only if they're "easily accessible from each establishment." In practice, a DPO in Munich who doesn't speak Portuguese and doesn't understand CNPD guidance isn't accessible to your Lisbon subsidiary. Without centralized tooling, group DPOs spend their weeks chasing updates across business units instead of doing strategic privacy work.

Aircraft manufacturer, first 6 months with Priverion , reduction in compliance admin time

200+

Hours saved by Medtec in ISO 27001 preparation using Priverion

Appointing a DPO Is the Beginning, Not the End

The real challenge starts after appointment. Your DPO needs group-wide visibility into processing activities, DPIAs, incidents, and data subject requests across every entity. Without a centralized platform, they're stuck coordinating via email chains and shared drives , exactly the operational blind spots that supervisory authorities will find during an audit.

Medtec , hours saved during ISO 27001 preparation with Priverion

If you're Googling this question, there's a good chance your organization's situation is more complex than a single yes/no answer. The DPO appointment decision isn't just a legal checkbox . it's an operational architecture decision.

See How Group DPOs Use Priverion

200+

Hours saved on ROPA management

Medtec reclaimed 200+ hours previously spent on manual documentation during ISO 27001 preparation , within the first year of implementation.

60%

Lower cost vs. legacy platforms

Aircraft manufacturer reduced compliance admin costs by 60% in the first 6 months , with predictable pricing based on entities, not per-user expansion traps.

3 mo

Ahead of schedule on ISO 27001

Medtec accelerated their ISO 27001 certification timeline by 3 months using Priverion's audit-ready evidence packages and automated documentation workflows.

Book a 30-min walkthrough

The Three Mandatory DPO Appointment Scenarios Under GDPR Article 37

Article 37(1) of the GDPR sets out exactly three scenarios where appointing a Data Protection Officer is mandatory. These aren't suggestions , failure to appoint when required has drawn fines from supervisory authorities across the EU.

Scenario 1: Public authorities and bodies

Article 37(1)(a): "The processing is carried out by a public authority or body, except for courts acting in their judicial capacity."

This applies to any organization classified as a public authority under national law , government agencies, municipalities, public universities, and state-owned enterprises. The definition varies by member state. In Germany, public-law broadcasting institutions are covered. In France, the CNIL has clarified that organizations delivering public services under contract may also fall within scope.

If your organization receives public funding or delivers services on behalf of a public body, check whether your national DPA classifies this as "public authority" processing , the definition is broader than most expect.

Scenario 2: Large-scale, regular and systematic monitoring

Article 37(1)(b): "The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale."

This is where most mid-market organizations get tripped up. "Core activities" doesn't mean HR or payroll processing . it means the processing that is central to achieving your business objectives. The WP29 guidelines (now endorsed by the EDPB) define key terms as follows:

  • "Regular" means ongoing or occurring at particular intervals, not one-off. Customer loyalty tracking, network monitoring, and employee location tracking all qualify.
  • "Systematic" means occurring according to a system, pre-arranged, organized or methodical. Behavioral advertising, credit scoring, and fraud detection systems are systematic by nature.
  • "Large scale" considers the number of data subjects, volume of data, geographic extent, and duration of processing. There is no fixed numerical threshold , but a city-wide CCTV network or a telecom processing millions of customer records clearly qualifies.

For multi-entity organizations, this is where complexity multiplies. Your parent company may not independently trigger this threshold, but three subsidiaries combined might. And each subsidiary that does trigger it creates its own DPO obligation , unless you designate a group DPO under Article 37(2).

Scenario 3: Large-scale processing of special categories or criminal data

Article 37(1)(c): "The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and offences referred to in Article 10."

Special category data includes health data, biometric data, racial or ethnic origin, political opinions, trade union membership, genetic data, and data concerning sex life or sexual orientation. If any of your subsidiaries processes this type of data as a core activity , a healthcare subsidiary, an insurance entity, a genetic testing unit , a DPO is mandatory for that entity.

The "large scale" qualifier applies here too. A single doctor's office processing patient records doesn't meet the threshold. A hospital network processing records across three countries does.

National Laws That Expand the GDPR Baseline

Article 37(4) explicitly allows member states to set additional requirements for DPO appointment. Several have done so , creating traps for organizations that only check the GDPR text.

  • Germany (BDSG Section 38): A DPO is required when at least 20 employees are permanently engaged in automated processing of personal data. This is significantly lower than the GDPR's "large scale" threshold and catches many mid-market companies that wouldn't otherwise be covered.
  • Austria: The Austrian Data Protection Act requires DPOs for processing that creates a high risk to individuals' rights , a broader standard than the GDPR's three scenarios.
  • France: While the CNIL hasn't expanded mandatory appointment beyond GDPR Article 37, its guidance strongly recommends DPO appointment for any organization processing personal data as a significant part of its operations. In practice, French regulators expect a DPO or equivalent function.
  • Romania, Greece, Slovakia: These member states have adopted additional sector-specific DPO requirements , particularly for financial services, telecommunications, and healthcare organizations.

For multi-entity organizations, this means a single group DPO assessment isn't enough. You need to check each subsidiary's obligation against the national law of the country where it's established , not just against the GDPR baseline.

Who Qualifies as a DPO? The Requirements Most Organizations Underestimate

Article 37(5) requires the DPO to be appointed "on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices." The EDPB has clarified this means:

  • Legal and technical knowledge: The DPO must understand both the legal framework and the technical operations of the organization. A lawyer who doesn't understand IT infrastructure, or an IT manager who doesn't understand GDPR, won't meet the standard.
  • Independence: Article 38(3) states the DPO "shall not receive any instructions regarding the exercise of those tasks." This means the DPO cannot be the CISO, the Head of Legal, or anyone whose role creates a conflict of interest. The EDPB has flagged CEO, COO, CFO, Head of HR, and Head of IT as inherently conflicted roles.
  • Adequate resources: Article 38(2) requires the organization to provide "resources necessary to carry out those tasks and access to personal data and processing operations." A DPO appointment without budget, tooling, or access to processing records is a compliance failure waiting to happen.
  • Accessibility: For group DPOs under Article 37(2), "easily accessible from each establishment" means accessible in terms of language, availability, and understanding of local regulatory requirements. A DPO in Zurich managing privacy for a Portuguese subsidiary needs either local language capability or a local privacy coordinator.

The Group DPO Model: How Multi-Entity Organizations Coordinate

Article 37(2) permits a group of undertakings to appoint a single DPO , provided they are "easily accessible from each establishment." In practice, this means building a coordination structure that gives the group DPO real visibility across every entity.

What "easily accessible" actually requires

  • Data subjects in each jurisdiction must be able to contact the DPO in their local language , or at minimum, in a language they can reasonably be expected to understand
  • The DPO must be able to communicate effectively with local supervisory authorities in each jurisdiction where the group operates
  • The DPO must have operational visibility into the processing activities, vendors, incidents, and data subject requests of every entity they oversee

The operational reality without centralized tooling

Priverion's founder observed a 12-subsidiary enterprise managing GDPR compliance across 47 spreadsheets. The group DPO was spending the majority of their week chasing business units for ROPA updates, DPIA status reports, and vendor assessment completions , via email, shared drives, and monthly calls that were already outdated by the time they happened.

This is the norm, not the exception. Without a centralized platform that provides group-wide visibility, the group DPO model breaks down into exactly the kind of fragmented, undocumented compliance that supervisory authorities will challenge during an audit.

How Priverion supports the group DPO model

Priverion was built specifically for this architecture. A group DPO using Priverion gets:

  • Cross-entity data mapping with centralized visibility into processing activities across every subsidiary
  • Automated ROPA recertification . AXA achieved a 100% recertification rate with fully automated workflows, eliminating the manual chase
  • DPIA and TIA automation with AI-assisted drafting and risk scoring, with all outputs reviewed by the DPO before they become compliance records
  • Incident management workflows that route breach notifications to the right subsidiary and the right supervisory authority
  • A DPO dashboard providing operational oversight of compliance status across the entire group

All data is processed within Swiss infrastructure, providing European data residency and Swiss data sovereignty , a meaningful legal advantage for organizations managing cross-border data transfers in a post-Schrems II environment.

Even If You Don't Need a DPO: Document Your Assessment

Article 37 doesn't require you to appoint a DPO in every situation , but every supervisory authority expects you to have assessed whether you need one. The absence of a documented assessment is itself a red flag during an investigation.

Your assessment should cover:

  • Each entity within your group, evaluated against the three Article 37(1) scenarios
  • National law requirements in each jurisdiction where you have an establishment
  • Whether you are using the group DPO provision under Article 37(2), and how "easy accessibility" is ensured
  • If you decide not to appoint, the rationale for that decision , documented and dated

This documentation should be reviewed annually, or whenever your group structure, processing activities, or regulatory environment changes.

Frequently Asked Questions About DPO Requirements

Can a group of companies share a single DPO?

Yes. Article 37(2) explicitly allows a group of undertakings to designate a single DPO , provided they are "easily accessible from each establishment." In practice, this requires the DPO to have language capability, regulatory knowledge, and operational visibility across every entity. Without centralized tooling, this model tends to break down as the group scales beyond 5-10 entities.

Can our CISO or Head of Legal also serve as DPO?

Almost certainly not. Article 38(6) allows the DPO to fulfill other tasks, but Article 38(3) requires that these don't result in a conflict of interest. The EDPB has specifically flagged CEO, COO, CFO, Head of HR, Head of IT, and Head of Marketing as roles that inherently conflict with DPO responsibilities. The CISO role is particularly problematic because the CISO is responsible for security decisions that the DPO is supposed to independently oversee.

What happens if we need a DPO but don't appoint one?

Supervisory authorities have issued fines for failure to appoint a DPO when required. The Belgian DPA fined a company EUR 50,000 in 2020 for this violation. Beyond fines, the absence of a DPO means no one is performing the monitoring, advisory, and contact-point functions that Articles 38 and 39 require , which compounds other compliance failures during an investigation.

Does the DPO need to be based in the EU?

The GDPR does not require the DPO to be physically located in the EU, but the "easily accessible" requirement under Article 37(2) makes this practically necessary for most organizations. The DPO needs to be reachable by data subjects and supervisory authorities within a reasonable timeframe and in relevant languages. A DPO based outside European time zones creates accessibility challenges that regulators may not accept.

Can we use an external DPO service?

Yes. Article 37(6) explicitly allows the DPO to be a staff member or to "fulfil the tasks on the basis of a service contract." External DPO services are common for mid-market organizations that need the expertise but can't justify a full-time hire. The key is ensuring the external DPO has genuine independence, adequate resources, and real access to processing operations , not just a name on paper.

How does the Swiss FADP (nDSG) differ from GDPR on DPO requirements?

The Swiss FADP does not mandate DPO appointment. Instead, it introduces a voluntary "Data Protection Advisor" role under Article 10. However, appointing a qualified Data Protection Advisor provides a concrete benefit: it exempts the organization from the obligation to consult with the FDPIC (Swiss Federal Data Protection and Information Commissioner) before high-risk processing. For Swiss-based groups with EU subsidiaries, you may need a DPO under GDPR for your EU entities while the Swiss entities have different requirements.

We voluntarily appointed a DPO , can we remove them?

Technically yes, but proceed carefully. Once appointed, the DPO benefits from the protections in Article 38(3) , they cannot be dismissed or penalized for performing their tasks. Removing a voluntarily appointed DPO may also signal to a supervisory authority that you're reducing your compliance posture. If you no longer need a DPO, document the rationale, ensure other compliance functions are covered, and consider maintaining the role at a reduced scope rather than eliminating it.

Free Checklist

Do You Actually Need a DPO? Find Out in 5 Minutes.

Stop second-guessing Article 37 requirements. This practical checklist walks you through the exact criteria , so you can make a defensible decision and document it for your supervisory authority.

What's inside:

  • The three mandatory DPO appointment triggers under GDPR Article 37, broken down into plain-language questions you can answer yes or no
  • Country-specific nuances: where national laws expand the GDPR baseline (Germany's BDSG threshold, Austria's requirements, and 6 more EU member states)
  • A documentation template for recording your DPO assessment , whether you appoint one or not , so you're audit-ready if a supervisory authority asks
  • Internal vs. external DPO: a decision framework covering cost, independence, conflict-of-interest risks, and multi-entity considerations for group structures

Free PDF. No demo required. We'll send it to your inbox.

Priverion vs. OneTrust

Why mid-market teams are making the switch

OneTrust serves Fortune 500 organizations with broader GRC scope and dedicated privacy teams. If you manage privacy across multiple entities but don't need 400 features you'll never touch, here's what the comparison actually looks like.

Priverion

Swiss data sovereignty , by design

Built and hosted entirely in Switzerland. Your compliance data never leaves Swiss infrastructure. In a post-Schrems II world, this isn't a feature . it's a legal necessity for cross-border data transfers.

Built for group-wide management

Multi-entity compliance is our core architecture, not an add-on module. Automated recertification, cross-entity data mapping, and centralized DPO oversight , all native. AXA achieved 100% ROPA recertification rate across their entire group with fully automated workflows.

AXA customer results, post-implementation

Predictable, mid-market pricing

Pricing based on number of entities and organizational size , not per-user, not per-module. No expansion traps. No surprise invoices when you add a new subsidiary or onboard more business unit owners.

Operational in weeks, not months

Clean UX designed for privacy practitioners, not enterprise software consultants. Aircraft manufacturer cut 60% of compliance admin time within their first 6 months , their DPO shifted from spreadsheet maintenance to strategic privacy work.

Aircraft manufacturer, first 6 months of implementation

AI-assisted, human-controlled

AI drafts DPIAs, scores risks, and maps regulations , but every output is reviewed by your team before it becomes a compliance record. No customer data is used for model training. All processing stays within Swiss infrastructure.

Typical enterprise platform

US-headquartered, multi-region hosting

Data may be hosted in EU data centers, but the parent company is subject to US jurisdiction. For organizations navigating Schrems II implications and cross-border transfer requirements, this creates ongoing legal complexity that in-house counsel has to manage.

Multi-entity as an add-on

Group-wide management is often layered on top of a single-entity architecture. Rolling out to new subsidiaries means additional configuration, additional licensing, and additional cost , each one a project in itself.

Per-user, per-module pricing

Enterprise pricing models that scale with headcount and