DPO Mandatory or Not? Everything You Need to Know About This Key GDPR Role (2026)
Is a DPO mandatory for your business? GDPR Article 37 sets out three specific triggers — none linked to headcount. For SMEs outside those cases, the real question is whether voluntary appointment makes operational sense. This article covers the legal thresholds, the DPO's core missions, the internal versus external versus shared comparison, applicable sanctions, and a practical decision framework for 2026.
This topic is part of our service
Business law support in France | Corporate secretarialExpert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
One of the most common questions that reaches compliance-minded business owners — and accountants advising them on governance — is whether they are legally required to appoint a DPO (Data Protection Officer) under GDPR (the EU General Data Protection Regulation, Regulation (EU) 2016/679). The short answer is: it depends entirely on the nature of your data processing, not the size of your organisation.
The confusion is understandable. French employment law uses headcount thresholds for many obligations, so it feels natural to expect a similar rule for data protection. GDPR does not work that way. A ten-person start-up processing health data at scale can be legally required to appoint a DPO. A 300-employee distribution company running standard payroll and CRM may not be — formally, at least. The distinction matters enormously when assessing both legal exposure and the cost-benefit of voluntary appointment.
In brief: a DPO is mandatory for public authorities and bodies, for organisations whose core activity involves regular and systematic large-scale monitoring of individuals, and for organisations whose core activity involves large-scale processing of special-category data (health, biometrics, political opinions, religion, ethnic origin, sexual orientation) or criminal data. Outside these three cases, appointment is optional — but the CNIL (the French data-protection authority) recommends it in many circumstances.
When Is a DPO Legally Required Under GDPR?#
Article 37 of GDPR sets out three distinct scenarios that trigger mandatory appointment. These apply regardless of whether the organisation is a controller or a processor, and regardless of its legal form or sector.
Trigger 1 — Public authorities and bodies. Any public authority or body must appoint a DPO. This covers local and central government bodies, public agencies, state-owned establishments, and entities carrying out a public-service mission.
Trigger 2 — Large-scale regular and systematic monitoring as a core activity. The obligation applies when the organisation's core business — not a secondary function — consists of monitoring, profiling, tracking or observing individuals on a regular and systematic basis at large scale. The "large scale" threshold considers the number of individuals concerned, the geographic spread, the duration of processing, and the volume and variety of data. Classic examples include adtech platforms, behavioural analytics providers, telecoms operators and geolocation applications.
Trigger 3 — Large-scale processing of special-category or criminal data as a core activity. Special-category data under Article 9 includes health data, biometric data, genetic data, data revealing political opinions, religious or philosophical beliefs, trade-union membership, racial or ethnic origin, and data concerning sex life or sexual orientation. Article 10 covers data relating to criminal convictions and offences. Hospitals, insurance companies, health-tech start-ups, biometric access-control operators and background-screening services typically fall into this category when processing at scale.
| Situation | DPO Mandatory? | Practical Examples |
|---|---|---|
| Public authority or body | Yes | Local council, public hospital, state agency |
| Core activity = regular systematic large-scale monitoring | Yes | Adtech platform, telecom operator, geolocation app |
| Core activity = large-scale processing of special-category or criminal data | Yes | Health clinic, insurer, biometrics provider, HR screening |
| Standard SME with CRM, invoicing and payroll | Not automatically | Consultancy, agency, retailer, manufacturer |
| SME with digital marketing but no intensive profiling | Not automatically | Service business with newsletter and basic analytics |
| Health-tech start-up with growing user base | Analysis required | Must assess scale before threshold is crossed |
Why Headcount Does Not Determine the Obligation#
There is no employee-count threshold in GDPR that triggers or removes the DPO obligation. The CNIL is explicit on this point. A micro-enterprise can be subject to mandatory appointment; a large enterprise may not be, if its processing is routine and non-sensitive.
What matters is the characterisation of your data processing: is it a core activity or ancillary? Is it regular and systematic? Does it reach large scale? Does it involve special-category data? These are qualitative and quantitative questions that require an actual analysis of your processing register, your tools, and your business model.
A note for UK-based readers. The UK GDPR, which applies following the UK's departure from the EU, contains equivalent provisions on DPO appointment under Article 37. The substantive criteria are very similar, with the ICO (Information Commissioner's Office) playing the supervisory role that the CNIL plays in France. This article focuses on the EU GDPR framework as applied in France, where Hayot Expertise operates.
Our observation from practice. The most frequent error we encounter in SME files is the assumption that "we are too small" to require a DPO. A SaaS start-up that has grown from a thousand to a hundred thousand users over eighteen months, processing behavioural data as part of its core service, may have crossed the threshold without anyone having conducted a formal assessment. The problem is not just the absence of a DPO — it is the absence of documented analysis, which is itself a GDPR breach.
How to Determine Whether You Are Affected: A Five-Step Method#
Before concluding that your organisation is — or is not — required to appoint a DPO, document the analysis. The process matters as much as the conclusion.
- Map your actual processing activities. Do not rely on contracts or data-flow diagrams that were drafted at incorporation. List every personal data flow: customers, prospects, employees, suppliers, partners, SaaS tools, analytics platforms. Focus on what you actually do, not what you intended to do.
- Classify the data you process. Do any of your processing activities involve special-category data under Article 9 or criminal data under Article 10? If yes, assess scale.
- Assess the nature and regularity of any monitoring or profiling. Is your core business model based on observing, tracking or profiling individuals? Is this continuous or periodic? Automated or manual?
- Estimate the scale. How many individuals are affected? Over what period? In how many countries? Processing affecting tens of thousands of individuals continuously is materially different from a one-off processing of a hundred records.
- Document your conclusion and review it annually. Whether you conclude that appointment is mandatory, recommended, or not currently necessary, formalise the reasoning in writing. In the event of a CNIL inspection, this documentation demonstrates a structured compliance approach. Revise it whenever you introduce new tools, new processing activities, or significant changes to your business model.
What Does a DPO Actually Do? Core Missions Under Article 39#
The DPO's role is defined at Article 39 of GDPR. It is a substantive operational function, not a ceremonial title.
| Mission | What It Means in Practice |
|---|---|
| Inform and advise | Ensure the controller, processors and staff understand GDPR obligations and their implications for specific processing activities |
| Monitor compliance | Audit processing activities, review the Article 30 processing register, check data protection clauses in supplier contracts |
| Advise on DPIAs | Identify high-risk processing activities that require a DPIA (data-protection impact assessment) under Article 35, and guide the process |
| Cooperate with supervisory authority | Act as the primary contact point with the CNIL for audits, inspections and notifications |
| Handle data-subject rights | Receive and coordinate responses to access, rectification, erasure, portability and objection requests |
| Train and raise awareness | Run staff training, maintain internal data protection policies, embed a compliance culture |
The DPO must be independent: they cannot receive instructions on how to exercise their tasks, cannot be penalised for doing their job, and must have access to the resources and information they need. Their contact details must be published (typically in the organisation's privacy notice) and communicated to the CNIL.
Internal, External or Shared DPO: Which Model Works for SMEs?#
GDPR imposes no requirement for the DPO to be a full-time employee or even an internal hire. Three models are widely used.
| Model | Advantages | Limitations | Best Suited To |
|---|---|---|---|
| Internal DPO (dedicated employee) | Deep organisational knowledge, permanent availability, cultural integration | High salary cost, recruitment difficulty, conflict-of-interest risk if the role is also operational | Large organisations, heavily regulated sectors (healthcare, finance, insurance) |
| External DPO (third-party service provider) | Available expertise without recruitment, structural independence, predictable cost | Requires a well-scoped engagement, availability to negotiate, organisation knowledge built over time | SMEs, scale-ups, mid-market companies without a dedicated compliance headcount |
| Shared DPO (across a group or consortium) | Cost-effective for related entities, unified governance approach | Must remain genuinely available to each entity; workload must be realistic and documented | Corporate groups, franchise networks, trade associations |
An indicative cost range (to be verified against current market rates). Retaining an external shared DPO for an SME typically falls in a range from a few thousand euros to roughly ten thousand euros per year, depending on the complexity and volume of processing activities, the frequency of engagement, and the organisation's current state of GDPR maturity. This figure is modest relative to the sanctions that can apply for a serious breach.
When Should You Appoint a DPO Even Without a Legal Obligation?#
The CNIL explicitly recommends voluntary DPO appointment in several situations that fall short of the mandatory threshold:
- The organisation uses a CRM, marketing automation platform, or commercial-scoring tool.
- The organisation deploys AI, video surveillance or geolocation as part of its operations.
- HR processes handle significant volumes of employee personal data, including health-related information.
- Multiple SaaS providers and sub-processors access the same data flows.
- The organisation responds to B2B procurement processes that include data security questionnaires.
- The organisation wants to be able to respond promptly and credibly to a CNIL inquiry or an incident notification requirement.
In these contexts, the DPO — even a part-time external one — provides a compliance-piloting function that internal teams typically cannot sustain on their own, given constraints of time, expertise and independence.
What Sanctions Apply if a Mandatory DPO Is Not Appointed?#
Failure to appoint a DPO where one is required under Article 37 constitutes a GDPR breach. Under Article 83, paragraph 4, this breach is subject to administrative fines of up to €10 million, or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.
More serious infringements — breaches of fundamental processing principles, unlawful processing, violations of data subjects' rights — attract fines under Article 83, paragraph 5, of up to €20 million or 4% of total worldwide annual turnover.
In France, CNIL enforcement decisions are published. For large organisations, fines in the tens of millions of euros have been issued. For SMEs, monetary penalties tend to be lower, but formal notices and remediation orders are published and publicly accessible — with material reputational consequences for businesses operating in B2B environments where procurement due diligence is routine.
The underestimated risk. Beyond the fine itself, the absence of a mandatory DPO is typically accompanied by a cascade of related deficiencies: an incomplete or absent processing register, missing DPIAs, non-compliant sub-processor agreements, and inadequate data-breach notification procedures. A CNIL inspection rarely stops at the DPO question; it examines the entire compliance chain.
Common Mistakes to Avoid#
- Concluding that no DPO is required based solely on headcount, without reviewing the actual processing register.
- Confusing the DPO role with the IT manager or CISO: these are distinct functions with different remits and different independence requirements.
- Appointing a DPO without providing adequate resources, information access and independence.
- Failing to publish the DPO's contact details and notify the CNIL.
- Creating a conflict of interest by assigning DPO responsibilities to someone who decides on the purposes and means of the very processing they are supposed to oversee.
- Treating GDPR compliance software as a substitute for governance, legal analysis and human judgement.
- Not documenting the decision not to appoint a DPO when the obligation does not apply — leaving the organisation unable to demonstrate its analysis in the event of an inspection.
A Practical Decision Framework for 2026#
| Your Situation | DPO Mandatory? | Recommended Action |
|---|---|---|
| Public authority or body | Yes | Appoint without delay; notify the CNIL |
| Core activity = systematic large-scale monitoring | Yes | Appoint without delay; document the analysis |
| Core activity = large-scale special-category or criminal data | Yes | Appoint without delay; conduct DPIAs on relevant processing |
| SME with CRM, SaaS stack and standard HR data | No, formally | External DPO strongly recommended |
| Scale-up with growing user data base | Assessment required | Map processing, assess scale, decide before the threshold is crossed |
| Micro-enterprise with no sensitive data processing | No | Processing register and compliant privacy notices are the priority |
This article provides general information on GDPR criteria for DPO appointment. The question of whether appointment is mandatory depends on the precise nature of your processing activities, your sector and your situation at the time of assessment. It does not constitute legal advice and does not replace a review by a qualified legal practitioner or data-protection specialist.
Frequently asked questions
Le DPO est-il obligatoire pour toutes les entreprises ?
Non. Le RGPD n'impose la désignation d'un DPO que dans trois cas précis : les autorités et organismes publics, les organismes dont l'activité de base consiste en un suivi régulier et systématique des personnes à grande échelle, et les organismes dont l'activité de base consiste en un traitement à grande échelle de données sensibles (art. 9) ou de données relatives à des condamnations (art. 10). Pour toutes les autres structures, la désignation reste facultative, mais souvent recommandée par la CNIL.
Y a-t-il un seuil de salariés qui rend le DPO obligatoire ?
Non. Le RGPD ne prévoit aucun seuil d'effectif. Ce sont la nature des traitements, leur régularité, leur échelle et la sensibilité des données traitées qui déterminent l'obligation. Une TPE peut être concernée, une grande entreprise peut ne pas l'être formellement si ses traitements sont classiques.
Peut-on désigner un DPO externe ou mutualisé ?
Oui. Le RGPD autorise explicitement le recours à un DPO externe, par exemple un prestataire spécialisé. Le DPO peut également être mutualisé entre plusieurs entités d'un même groupe. L'essentiel est qu'il dispose de l'indépendance, des moyens et du temps nécessaires pour exercer sa mission, et que ses coordonnées soient transmises à la CNIL et publiées.
Quelles sanctions risque-t-on en cas d'absence de DPO obligatoire ?
L'absence de DPO lorsqu'il est requis constitue un manquement au RGPD, passible d'une amende administrative pouvant atteindre 10 millions d'euros ou 2 % du chiffre d'affaires annuel mondial (article 83, paragraphe 4). En pratique, le risque inclut aussi une mise en demeure publiée par la CNIL, avec un impact réputationnel significatif.
Quelles sont les principales missions du DPO au quotidien ?
Selon l'article 39 du RGPD, le DPO informe et conseille l'organisme et ses équipes, contrôle le respect du RGPD, conseille sur les analyses d'impact (AIPD), coopère avec la CNIL et sert de point de contact pour les personnes concernées. Il doit être indépendant et rattaché au plus haut niveau hiérarchique.

Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
This topic is part of our service Business law support in France | Corporate secretarial
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.