A company appointed no Data Protection Officer despite processing health data. Is this required?

What the Law Says

The General Data Protection Regulation (GDPR) sets strict conditions for when a Data Protection Officer must be appointed. One of those conditions applies directly to health data processing.

Under Article 37(1)(b) of the GDPR, a DPO must be designated where the core activities of the controller or processor consist of processing on a large scale of special categories of personal data — including health data — as defined in Article 9.

Health data is explicitly listed as a 'special category' under Article 9(1), which includes 'personal data concerning health', such as information about physical or mental health, medical history, or healthcare services received.

The term 'large scale' is not defined numerically in the GDPR but the European Data Protection Board (EDPB) clarifies it depends on factors like volume, duration, geographical extent, and number of individuals affected. Processing health data across multiple clinics, hospitals, or digital health platforms typically meets this threshold.

Statutory Text

The controller or processor shall designate a data protection officer in any case where: (b) the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data pursuant to Article 9...

— Regulation (EU) 2016/679, Art. 37(1)(b)

Statutory Text

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

— Regulation (EU) 2016/679, Art. 9(1)

Sources