Q: Does my business need to appoint a Data Protection Officer (DPO)?
A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Now it says:
http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...
>The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Basically small firm that is just holding minimum amount of customer/user information and data and where the business model is not centered around profiling and processing user data.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...
>Staff headcount and financial ceilings determining enterprise categories
> 1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.