The following three areas need to be reviewed to say if you need to appoint a DPO:
1. Company size / number of employees
If more than 9 employees regularly deal with automated data processing (collection and use), the obligation exists. This also applies if at least 20 employees are employed who regularly deal with non-automated data processing.
2. Type of data
As soon as personal data is processed that informs about a person's ethnic origin, race, political opinion, religious conviction, trade union membership, health or sexual life, it is also mandatory.
Insofar as personal data is transmitted, collected, processed or used in a businesslike manner, the obligation generally exists irrespective of the number of employees.