A DPO is not required for every site, but tracking changes the answer
Plenty of businesses run a cookie banner and never need a data protection officer. A DPO is a specific GDPR role with legal protections and duties, not a title you hand to whoever manages the website. Whether you're obliged to appoint one turns on Article 37, and for companies whose business runs on tracking, the answer is more often yes than they expect.
Article 37(1) sets three triggers. A DPO is mandatory if you're a public authority, if your core activities consist of large-scale regular and systematic monitoring of people, or if your core activities involve large-scale processing of special-category or criminal data. The middle one is where cookies come in.
The trigger that catches trackers
Article 37(1)(b) is loaded with three terms that decide everything: "core activities," "regular and systematic monitoring," and "on a large scale." The Article 29 Working Party guidance on DPOs (WP243, endorsed by the EDPB) unpacks each.
- Core activities are your primary business operations, the things you exist to do, not the support functions every company runs. Payroll and IT security are ancillary. The tracking that powers an ad-funded publisher or an adtech vendor is core.
- Regular and systematic monitoring is defined broadly, and WP243 gives examples that read like a list of common cookie use cases: behavioral advertising, data-driven marketing, profiling and scoring, location tracking, and email retargeting.
- Large scale has no fixed number. The guidance says to weigh the number of people affected, the volume of data, the duration, and the geographic reach. A site tracking millions of visitors across the EU is large scale. A local shop's basic analytics isn't.
Who clearly needs one, and who probably doesn't
Line your activity up against those three terms and most cases resolve quickly.
Likely required: adtech vendors, ad-funded publishers, data brokers, analytics providers, and large e-commerce operations running extensive cross-site profiling and retargeting. For these, tracking is core, systematic, and large scale at once.
Likely not required: a small business running privacy-friendly first-party analytics, a professional-services firm with a brochure site and a contact form, a local retailer whose tracking is incidental to selling things in a shop.
The grey zone: mid-size e-commerce with meaningful retargeting, a SaaS product doing product analytics on a large user base. Here you assess honestly against the factors rather than guessing. When you're genuinely on the line, appointing a DPO (or at least a documented privacy lead) is the defensible call, and it's cheaper than arguing about it during an investigation.
A DPO you can fire for saying no isn't a DPO
Article 38 gives the DPO real independence. They report to the highest level of management, can't be dismissed or penalized for doing the job, and can't hold a role that creates a conflict of interest. That last point matters for tracking: the person who decides your ad-targeting strategy can't also be the DPO who's supposed to scrutinize it. If you appoint a DPO in name only, with no independence and a conflicting day job, you haven't met the requirement, you've just documented that you missed it.
What the DPO actually does for cookies
Article 39 sets the DPO's tasks, and several map directly onto cookie work. The DPO informs and advises the business on its obligations, monitors compliance (including your consent mechanism and cookie practices), advises on data protection impact assessments and monitors their performance, and acts as the contact point for both your supervisory authority and the people whose data you process.
In practice, that makes the DPO the person who checks that your banner actually blocks tags before consent, that your DPIA got done where it was required, and that a data subject who complains about tracking gets a real answer. The DPO doesn't have to build any of this. They have to be able to verify it, which means they need evidence, not assurances from the marketing team.
You can appoint one voluntarily, or hire one out
Two options soften the "do we have to" question. First, you can designate a DPO even when you're not strictly required to. Be aware that a voluntary DPO isn't a lighter version of the role: once you appoint someone under Article 37, the independence and task requirements of Articles 38 and 39 apply in full. Some organizations that want a privacy owner without locking into the formal regime instead name an internal privacy lead who carries the responsibility without the DPO title.
Second, if you do cross the threshold but don't want a full-time hire, Article 37(6) lets the DPO fulfil the tasks on the basis of a service contract. An external, shared DPO is a normal arrangement for smaller companies that tip into the mandatory zone because tracking is core to a lean business. What you can't do is leave the role unfilled and hope the threshold doesn't apply to you, since that judgment is one a regulator will second-guess.
Do you need a DPO?
Is tracking or profiling one of your core business activities?
Ad-funded, adtech, and data-broker models usually say yes; a brochure site says no.
Do you monitor people regularly and systematically?
Behavioral advertising, retargeting, and cross-site profiling all count under WP243.
Is the monitoring large scale?
Weigh the number of people, data volume, duration, and geographic reach.
Would your privacy lead be independent and conflict-free?
Article 38 bars a DPO who also decides the tracking strategy they'd be reviewing.
If you're on the line, have you documented the decision?
A reasoned assessment either way is part of demonstrating compliance.
Giving your DPO something to work with
A DPO can only monitor what they can see. This is where CookieBeam earns its place in the compliance stack. The cookie scanner gives the DPO an independent inventory of what's actually running on the site, so they're not relying on engineering's word for which vendors receive data. Per-purpose consent logs let them verify that consent is real and honored rather than assumed. And the same records support the records of processing the DPO is expected to help maintain.
Whether or not you're strictly required to appoint a DPO, the underlying obligation to demonstrate compliance doesn't go away. That broader duty is covered in the accountability principle applied to cookies. A DPO is one way to meet it; evidence is what makes any of it stick.