Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 5.1 Which organisations must appoint a DPO?
The designation of a DPO is an obligation:
if the processing is carried out by a public authority or body (irrespective of what data is being processed)
if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences