§ GDPR · Article 37
GDPR Article 37: Obligations, Deadlines & Penalties
At a glance
Article 37 of the GDPR imposes 8 obligations on associations and other bodies representing categories of controllers or processors, controller, group of undertakings and 2 other entity type(s).
§ Obligations
All obligations under Article 37
Obligation 1
The controller and the processor shall designate a data protection officer where processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor
- Sector scope
- public authority or body
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
- Exemptions
- courts acting in their judicial capacity
Obligation 2
The controller and the processor shall designate a data protection officer where core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 3
The controller and the processor shall designate a data protection officer where core activities consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offences.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 4
A group of undertakings may appoint a single data protection officer provided that the officer is easily accessible from each establishment.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
group of undertakings
- Action required
-
appoint
- Deadline
-
—
- Penalty
-
—
Obligation 5
Where the controller or processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
public authority or body
- Sector scope
- public authority or body
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 6
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor, associations and other bodies representing categories of controllers or processors
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 7
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
Obligation 8
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Regulation (EU) 2016/679, Article 37, Article 37
- Obligated entity
-
controller, processor
- Action required
-
publish, communicate
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 37
Who must comply with Article 37 of the GDPR?
+
associations and other bodies representing categories of controllers or processors, controller, group of undertakings, processor, public authority or body.
What does Article 37 of the GDPR require?
+
designate appoint publish, communicate