Tribe by ToTeM #13 → Join now

Startup and GDPR (pt. 3)

Here we conclude our guide on the requirements and obligations to be met regarding privacy and the use of personal data when developing and selling your products and services.

Resource created by Fabio Cassanelli, Co-founder & GDPR Consultant at Argo Business Solutions

When is the appointment of a DPO mandatory?

The Data Protection Officer (DPO) is a role introduced by Article 37 of Regulation (EU) 2016/679 GDPR. It is an individual, a natural person internal or external to the organisation or a legal person, appointed by the data controller or processor to perform support and control, advisory, training and information functions in relation to the application of the GDPR.

His or her contact details must be mandatorily nominated to the Data Protection Authority by following a specific online procedure.

But are startups mandatory to appoint a DPO?

Nomination requirements

According to Article 37 of the GDPR, the controller and the processor must systematically appoint a data protection officer if:

  • the processing is carried out by a public authority or a public body;
  • the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require the regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or processor consist of the processing, on a large scale, of special categories of personal data referred to in Article 9 or of data relating to criminal convictions and offences referred to in Article 10.

The particular data are those revealing ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health or sex life.

Does my startup need a DPO?

The correct answer is: it depends.

If the startup performs processing operations that enable the monitoring of data subjects on a large scale or special and judicial data are processed on a large scale, it absolutely must appoint a DPO.

However, even if the startup does not fall into the above-mentioned categories, if there are no adequate privacy and data protection skills among the founders or staff, our advice is to provide for the appointment of the DPO as one of the preliminary steps. In fact, even in cases where the Regulation does not strictly impose the appointment of a DPO or DPO, an appointment on a voluntary basis is still possible.

The DPO will support the startup in the application of the principles of privacy by design and by default , and help it with all the other tasks required by the GDPR. In addition, the DPO will be able to interface with investors, providing them with all information to demonstrate the startup's GDPR compliance.

Beware of Conflicts of Interest

Although the DPO is allowed to hold other positions within the company and perform other tasks, it is very important that no conflicts of interest with the startup company arise. In fact, since the Data Protection Officer must fulfil the requirement of independence, he/she may not be one of the founders or hold a 'senior or middle management' position such as chief executive, chief operating, chief financial, chief medical officer, marketing directorate, human resources directorate or IT directorate.

If it is decided to appoint as DPO a figure from outside the organisation (this can be either a natural person or a legal entity), it is incompatible with the independence requirements to assign the task to persons who, in rendering services in the interest of the owner, might be in a position of conflict of interest such as IT service providers, software houses, etc.

We trust you enjoyed this resource and that it has given you the tools you need to tackle GDPR for your startup! If you missed them or need to catch up on other information, read the first two parts of the resource.


Fabio Cassanelli
Co-founder & GDPR Consultant Argo Business Solutions

Latest articles

Useful resources

Come lanciare un prodotto

How to launch a product

The launch for a startup is a crucial moment that should neither be underestimated nor feared, if approached correctly.

your news

If you have any interesting news about your company or startup and would like to highlight it through our pages, fill out the form to report it to us.

I have some juicy news for ToTeM.

Data processing

Main Partner
Logo Fondazione Compagnia di San Paolo
Logo di Fondazione Sviluppo e Crescita CRT
Technical Partners