GDPR

Do You Need a DPO? GDPR Decision Tree for SMEs

6 min readUpdated 6 May 2026

Most SaaS companies do not need to appoint a Data Protection Officer (DPO). But the criteria that trigger mandatory appointment are broader than many founders realise — and getting it wrong in either direction creates risk.

This guide explains exactly when a DPO is legally required, when one is recommended even if not required, and what the role actually involves.

When a DPO Is Mandatory

Article 37 of GDPR requires a DPO in three situations:

1. You Are a Public Authority or Body

If you are a government body, regulatory authority, or public institution — this applies to you. It does not apply to private SaaS companies regardless of who their customers are.

2. You Carry Out Large-Scale Systematic Monitoring of Individuals

"Systematic monitoring" means tracking or observing individuals on a large scale — not incidentally, but as a core part of your business activity.

Examples that trigger this:

  • Tracking user behaviour across the internet (ad tech, data brokers)
  • Real-time location tracking of individuals
  • Employee monitoring at scale
  • Surveillance-as-a-service platforms

Does this apply to typical SaaS? Processing product analytics for your own users is not systematic monitoring in the sense that triggers DPO appointment. The monitoring must be of individuals as a core purpose, not as a byproduct of delivering a service.

3. You Process Special Category Data or Criminal Conviction Data on a Large Scale

Special category data under Article 9: health data, biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation.

"Large scale" has no precise definition, but the Article 29 Working Party guidance suggests considering: the number of individuals, the volume of data, the geographic extent, and the duration of the processing.

Examples that trigger this:

  • Healthcare SaaS processing patient health records for a large provider
  • Mental health or wellbeing apps processing health or psychological data at scale
  • Biometric identity verification platforms
  • Insurance platforms processing health or disability data at scale

Does this apply to typical SaaS? If you build productivity, project management, analytics, sales, or communication tools and do not intentionally collect special category data — probably not. But if your product allows users to upload documents, messages, or data that may contain special category data (a healthcare provider uploading patient files to your document tool), review carefully.

Decision Tree

1. Are you a public authority?
   → Yes: DPO required
   → No: continue

2. Is systematic monitoring of individuals a CORE activity of your business 
   (not incidental to service delivery)?
   → Yes: DPO required
   → No: continue

3. Do you process special category or criminal data at large scale as 
   a CORE activity?
   → Yes: DPO required
   → No: DPO not mandatory

When a DPO Is Recommended (But Not Required)

Even if mandatory appointment does not apply, many SaaS companies appoint a DPO or a DPO equivalent because:

  • Enterprise sales requires it. Some enterprise customers and public sector buyers require a named DPO as a condition of contract.
  • You process substantial volumes of personal data. The mandatory threshold is "large scale" — but a company processing millions of user records has meaningful exposure even if it does not technically meet the threshold.
  • You operate in regulated sectors. Healthtech, fintech, or legaltech companies benefit from a DPO even if the specific criteria are not met.
  • You are scaling rapidly. If you are approaching the threshold — growing user base, new health or biometric features — it is worth appointing early.

What a DPO Actually Does

The DPO is not personally liable for GDPR compliance — the organisation is. The DPO's role is to:

  • Advise the organisation and employees on GDPR obligations
  • Monitor compliance and internal training
  • Advise on DPIAs and review their execution
  • Act as the contact point for supervisory authorities
  • Cooperate with the supervisory authority when it investigates
  • Act as the contact point for data subjects exercising their rights

Critically: the DPO must be independent. They cannot receive instructions from the organisation on how to perform DPO tasks, and cannot be dismissed for performing those tasks. This creates tension — a founder or Head of Legal who "also acts as DPO" may not satisfy the independence requirement.

Who Can Be a DPO

The DPO must have:

  • Expert knowledge of data protection law and practices
  • The ability to perform DPO tasks (independence, access to management, adequate resources)

A DPO can be:

  • An employee (internal DPO)
  • A third-party service provider (external DPO) — this is common for SMEs
  • A shared DPO across a group of companies

Many SaaS startups use an external DPO service (typically €5,000–15,000/year from a law firm or specialist provider) rather than hiring a dedicated internal hire.

DPO vs Data Protection Lead

If you do not need a DPO, you should still designate a named person responsible for data protection — often called a Data Protection Lead or Privacy Lead. This person:

  • Owns the RoPA and keeps it updated
  • Fields data subject access requests
  • Coordinates breach response
  • Manages DPA negotiations with customers and vendors
  • Ensures privacy is considered in product development

This is not a full-time role at most early-stage SaaS companies — it is typically an additional responsibility for a legal, compliance, or operations hire.

Member State Variations

Some EU member states have expanded the mandatory DPO requirement beyond Article 37:

  • Germany: Employee monitoring and HR data processing often triggers DPO requirements under German law
  • France: CNIL guidance encourages voluntary DPO appointment for companies processing personal data at scale

If you operate in specific member states with significant volumes of employee or customer data, review national law requirements in addition to the baseline Article 37 criteria.

What Happens If You Should Have a DPO and Don't

Failure to appoint a DPO when required is an infringement of GDPR — specifically of Article 37. The maximum fine for this infringement (under Article 83(4)) is €10,000,000 or 2% of global annual turnover, whichever is higher.

In practice, supervisory authorities typically issue this type of fine as part of a broader investigation rather than as a standalone action — but it adds to total penalty exposure when other GDPR failures are also found.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

GDPR for SaaS Companies: The 2026 Compliance Checklist

A comprehensive GDPR compliance checklist for SaaS companies — covering lawful basis, RoPA, DPAs, data subject rights, breach response, and international transfers.

View all guides in this module