DPO designated if processing triggers Art. 37 requirements

Why it matters

GDPR Art. 37 mandates designation of a Data Protection Officer for public authorities, organizations engaged in large-scale systematic monitoring, or those processing special category data at scale. Most B2B and B2C SaaS products do not meet these thresholds — but the absence of any privacy contact creates a separate problem: Art. 13(1)(b) requires controllers to provide contact details for the DPO or, where no DPO exists, the controller itself. If data subjects have no documented way to reach someone about privacy matters, they cannot exercise their Art. 15–22 rights in practice. A privacy email address in the footer is minimal but required; not having one is independently sanctionable.

Remediation

Document the Art. 37 assessment and ensure a privacy contact is accessible in the privacy policy, even if formal DPO designation is not required.

## DPO Assessment — Art. 37 GDPR
Date: 2026-02-22

- Public authority or body: No
- Core activities = large-scale systematic monitoring: No
  (Analytics are product-incidental, not the core business)
- Core activities = large-scale special category data: No

Conclusion: DPO designation not mandatory.
Voluntary privacy contact: privacy@example.com
(We aim to respond to all privacy inquiries within 30 days.)

Store this in docs/dpo-assessment.md. Publish privacy@example.com in your privacy policy under a 'Contact Us' section. If your application later expands into health data processing or systematic behavioral profiling at scale, re-evaluate the Art. 37 threshold and register the DPO with your national supervisory authority if required.

Detection

ID: gdpr-readiness.breach-accountability.dpo-if-required
Severity: info
What to look for: GDPR Article 37 mandates a Data Protection Officer in three situations: (1) the controller is a public authority, (2) core activities consist of large-scale, systematic monitoring of individuals, or (3) core activities consist of large-scale processing of special category data or data relating to criminal convictions. For most standard web applications and SaaS products, DPO designation is not mandatory. Check whether the application falls into any of these categories. If DPO designation is required, look for the DPO's contact details in the privacy policy. If not required, check whether this assessment is documented and whether there is a designated privacy contact (not necessarily a formal DPO) accessible in the privacy policy. Count all instances found and enumerate each.
Pass criteria: If GDPR Art. 37 triggers apply, a DPO is designated and their contact details are in the privacy policy. If Art. 37 does not apply, this has been assessed and documented, and a privacy contact (even if not a formal DPO) is accessible in the privacy policy. At least 1 implementation must be confirmed.
Fail criteria: Application clearly triggers Art. 37 (large-scale health data processing, public authority, systematic large-scale monitoring) but no DPO is designated. No privacy contact of any kind accessible to data subjects.
Skip (N/A) when: Application is a startup or small business not engaged in large-scale or systematic monitoring, does not process special category data at scale, and is not a public authority. Document this assessment explicitly.
Detail on fail: Example: "Application processes health data at scale — Art. 37 may be triggered. No DPO designated and no assessment documented." or "No privacy contact email or form in privacy policy. Data subjects have no documented way to reach the controller.".

Remediation: Document the DPO assessment and ensure a privacy contact is accessible:

## DPO Assessment (Art. 37 GDPR)

Assessment date: 2026-02-22

- Public authority or body: No
- Core activities involve large-scale, systematic monitoring: No
  (Analytics are incidental to the service, not the core business activity)
- Core activities involve large-scale processing of special category data: No

Conclusion: DPO designation is not mandatory under Art. 37.

Voluntary privacy contact: privacy@example.com
(We aim to respond to all privacy inquiries within 30 days.)

If DPO designation is required, register the DPO with your national supervisory authority and publish their contact in the privacy policy: "Our Data Protection Officer can be contacted at dpo@example.com."

Why it matters

Remediation

Document the Art. 37 assessment and ensure a privacy contact is accessible in the privacy policy, even if formal DPO designation is not required.

## DPO Assessment — Art. 37 GDPR
Date: 2026-02-22

- Public authority or body: No
- Core activities = large-scale systematic monitoring: No
  (Analytics are product-incidental, not the core business)
- Core activities = large-scale special category data: No

Conclusion: DPO designation not mandatory.
Voluntary privacy contact: privacy@example.com
(We aim to respond to all privacy inquiries within 30 days.)

Detection

ID: gdpr-readiness.breach-accountability.dpo-if-required
Severity: info
What to look for: GDPR Article 37 mandates a Data Protection Officer in three situations: (1) the controller is a public authority, (2) core activities consist of large-scale, systematic monitoring of individuals, or (3) core activities consist of large-scale processing of special category data or data relating to criminal convictions. For most standard web applications and SaaS products, DPO designation is not mandatory. Check whether the application falls into any of these categories. If DPO designation is required, look for the DPO's contact details in the privacy policy. If not required, check whether this assessment is documented and whether there is a designated privacy contact (not necessarily a formal DPO) accessible in the privacy policy. Count all instances found and enumerate each.
Pass criteria: If GDPR Art. 37 triggers apply, a DPO is designated and their contact details are in the privacy policy. If Art. 37 does not apply, this has been assessed and documented, and a privacy contact (even if not a formal DPO) is accessible in the privacy policy. At least 1 implementation must be confirmed.
Fail criteria: Application clearly triggers Art. 37 (large-scale health data processing, public authority, systematic large-scale monitoring) but no DPO is designated. No privacy contact of any kind accessible to data subjects.
Skip (N/A) when: Application is a startup or small business not engaged in large-scale or systematic monitoring, does not process special category data at scale, and is not a public authority. Document this assessment explicitly.
Detail on fail: Example: "Application processes health data at scale — Art. 37 may be triggered. No DPO designated and no assessment documented." or "No privacy contact email or form in privacy policy. Data subjects have no documented way to reach the controller.".

Remediation: Document the DPO assessment and ensure a privacy contact is accessible:

## DPO Assessment (Art. 37 GDPR)

Assessment date: 2026-02-22

- Public authority or body: No
- Core activities involve large-scale, systematic monitoring: No
  (Analytics are incidental to the service, not the core business activity)
- Core activities involve large-scale processing of special category data: No

Conclusion: DPO designation is not mandatory under Art. 37.

Voluntary privacy contact: privacy@example.com
(We aim to respond to all privacy inquiries within 30 days.)

DPO designated if processing triggers Art. 37 requirements

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

DPO designated if processing triggers Art. 37 requirements

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History