Data protection officer — who needs one and what must be published?
A data protection officer — DPO — is the person who independently monitors that an organisation handles personal data in line with the GDPR. Far from everyone must appoint one: the requirement targets the public sector and certain data-driven or sensitive operations, not the typical company. But where the requirement applies, a publication duty follows that is often forgotten: the DPO's contact details must be made public, in practice in the privacy policy. That is the part visible from the outside — and the part that is surprisingly often missing.
What does the law say?
GDPR article 37 sets out three situations where the controller must appoint a data protection officer:
- The processing is carried out by a public authority or body — except for courts acting in their judicial capacity.
- The core activities consist of processing that requires regular and systematic monitoring of data subjects on a large scale — think large-scale behavioural tracking or profiling.
- The core activities consist of large-scale processing of special categories of data under article 9 — health data, for example — or of data relating to criminal offences.
Articles 38 and 39 describe the DPO's position and tasks: the DPO must be independent, report to the highest management level and must not receive instructions in how the tasks are carried out. The tasks are to monitor compliance, train the organisation and act as the contact point for the supervisory authority — in Sweden, IMY. Anyone appointing a DPO voluntarily should know that the same rules then apply in full — a voluntary DPO is not a "DPO light".
Who must have a data protection officer?
The public sector is the clear-cut case: government agencies, municipalities and regions must always appoint a data protection officer — they are public bodies, so the requirement applies without further assessment. A municipality without a DPO, or without published contact details for it, falls short of the GDPR.
For private companies the default is the opposite: most small and medium-sized businesses do not need a data protection officer. The requirement only kicks in when the core activity itself is built on large-scale monitoring of people or large-scale processing of sensitive data — think health platforms or ad networks, not a web shop with a customer register. The concepts "core activities" and "large scale" are matters of assessment, but for the typical company the answer is no.
What must be published?
Article 37.7 places two demands on anyone who has a data protection officer: the contact details must be published, and they must be communicated to the supervisory authority — IMY in Sweden. In practice, publishing means the contact details belong in the privacy policy — that is where a data subject looks for them.
The requirement is less far-reaching than many think: the DPO does not have to be named publicly. An email address or a role-based address — along the lines of dpo@municipality.se — is quite enough. What matters is that the contact route exists, works and actually reaches the DPO.
Common issues we see
- The organisation has a data protection officer — but the contact details are not in the privacy policy. The DPO exists, yet the publication duty is still breached.
- The policy mentions that a DPO has been appointed but gives no contact route — the visitor learns that the DPO exists, not how to reach them.
- The contact details lead nowhere useful: a person who has changed roles, a general switchboard or a contact form with no connection to the DPO.
- The policy is a purchased template where the DPO section was never filled in.
How CompliantHQ tests this
The scanner reads the website's privacy policy and verifies that contact details for a data protection officer are included. The check applies to public sector bodies — there the requirement is unambiguous, and a missing contact detail is a concrete deficiency, not a judgement call.
It is a deterministic document check: we look for an actual contact route to the DPO in the policy text, not for a particular phrasing. The check is included in the free trial — you don't need to pay to see whether your policy passes it.
How to fix it
- If you have a data protection officer: add the contact details to the privacy policy. A role-based address is enough — and it survives staff changes.
- Check that the same contact details have been communicated to IMY — article 37.7 requires both parts.
- Public sector body without a DPO: appoint one. The requirement is unconditional for government agencies, municipalities and regions.
- Private company unsure whether the requirement applies: check your core activities against the three cases in article 37.1. If the answer is no, you don't need a DPO — but a clear contact route for data protection questions in the policy is good practice anyway.
- Update the contact details when the DPO changes — a contact route that leads to the wrong place is, in practice, no contact route at all.
What the check covers
- That contact details for the data protection officer are present — the person who oversees that data is handled correctly. Applies to public-sector bodies.
Common questions
Does every company need a data protection officer?
No — most small and medium-sized businesses don't need one. The requirement applies to public authorities and bodies, and to organisations whose core activities involve large-scale, systematic monitoring of data subjects or large-scale processing of sensitive data or data relating to criminal offences.
Must municipalities have a data protection officer?
Yes, always — municipalities and regions are public bodies and are unconditionally covered by article 37. A municipality that has not published its DPO's contact details in the privacy policy falls short of article 37.7, even if the DPO exists.
Does the data protection officer have to be named publicly?
No. What must be published are the contact details — an email address or role-based address is enough, and the DPO does not have to be named on the website. The contact details must also be communicated to the supervisory authority, IMY.
We appointed a data protection officer voluntarily — do the same rules apply?
Yes. A voluntarily appointed data protection officer is subject to the same rules as a mandatory one: the same independent position, the same tasks and the same requirement to publish the contact details.
Want to see what we find on your site?
Run a free scan — all four modules included for 30 days, no card required.