Do I have to appoint a Data Protection Officer?
Mandatory for public bodies, for large-scale systematic monitoring, and for large-scale processing of special-category or criminal data.
Try this first
- 1Walk the three triggers in GDPR Art. 37. None hit? DPO is not mandatory, but advisable for larger SMBs.
- 2A DPO can be internal or external. Requirements: independent, sufficient knowledge, sufficient time. May not combine with a role that decides on processing (privacy officer is fine, head of IT is not).
- 3Register the DPO with the AP via their online form. That is a statutory duty.
- 4Give the DPO a mandate: direct line to the board, access to all processing, no sanctions for advice.
- 5Document when the DPO must be consulted: DPIA, breach, new tools, processor agreements.
When to bring us in
Unsure whether your processing is "large-scale" in the GDPR sense? It is a grey area the AP publishes case law on. We can help size it.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.