§ GDPR · Article 37

GDPR Article 37: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 37 · All obligations · GDPR
At a glance
Article 37 of the GDPR imposes 8 obligations on associations and other bodies representing categories of controllers or processors, controller, group of undertakings and 2 other entity type(s).
§ Obligations

All obligations under Article 37

Obligation 1
The controller and the processor shall designate a data protection officer where processing is carried out by a public authority or body, except for courts acting in their judicial capacity. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor
Sector scope
public authority or body
Action required
designate
Deadline
Penalty
Exemptions
courts acting in their judicial capacity
Obligation 2
The controller and the processor shall designate a data protection officer where core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor
Action required
designate
Deadline
Penalty
Obligation 3
The controller and the processor shall designate a data protection officer where core activities consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offences. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor
Action required
designate
Deadline
Penalty
Obligation 4
A group of undertakings may appoint a single data protection officer provided that the officer is easily accessible from each establishment. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
group of undertakings
Action required
appoint
Deadline
Penalty
Obligation 5
Where the controller or processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
public authority or body
Sector scope
public authority or body
Action required
designate
Deadline
Penalty
Obligation 6
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor, associations and other bodies representing categories of controllers or processors
Action required
designate
Deadline
Penalty
Obligation 7
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor
Action required
designate
Deadline
Penalty
Obligation 8
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. Regulation (EU) 2016/679, Article 37, Article 37
Obligated entity
controller, processor
Action required
publish, communicate
Deadline
Penalty
§ Frequently asked

Questions about Article 37

Who must comply with Article 37 of the GDPR? +
associations and other bodies representing categories of controllers or processors, controller, group of undertakings, processor, public authority or body.
What does Article 37 of the GDPR require? +
designate appoint publish, communicate
Need a cross-border briefing on GDPR Article 37?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles