Article 37 GDPR
Appointment of the data protection inspector

1. The controller and the processor shall designate a data protection officer whenever:

(a) the processing shall be carried out by a public authority or body, with the exception of courts in the field of their administration of justice;

(b) the main activity of the controller or processor consists of processing operations which, by reason of their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale; or

(c)

*

the core activities of the controller or processor consist of the large-scale processing of special categories of personal data referred to in Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

2. A group of companies can appoint a single data protection officer, as long as he or she can be easily contacted from each business unit.

3. If the controller or processor is a public authority or entity, a single data protection officer may be appointed for several such authorities or entities, taking into account their organizational structure and size.

4. In cases other than those referred to in paragraph 1, a controller, processor, associations or other entities representing certain categories of controllers or processors may appoint, or if required by Union or Member State law, shall appoint, a data protection officer. The data protection officer may act on behalf of such associations and other entities representing controllers or processors.

5. The Data Protection Officer shall be appointed on the basis of professional qualifications, in particular expertise in data protection law and practices, and the ability to perform the tasks referred to in Article 39.

6. The data protection officer may be a member of the controller's or processor's staff or perform tasks under a service contract.

7. The controller or processor shall publish the contact details of the data protection officer and notify the supervisory authority.