The GDPR.eu DPO guide covers the legal definition. This article condenses it to a decision tree: when your SaaS must have a DPO, when it benefits from one, and when it is over-engineering compliance.
The three GDPR triggers (Article 37)
- You are a public authority or body (not most SaaS)
- Your core activity involves regular and systematic monitoring of data subjects on a large scale
- Your core activity involves processing of special category data on a large scale (health, biometric, political, etc.)
If none apply, you do NOT need a DPO. Period. Many SaaS hire one out of caution and waste resources.
What "large scale" actually means
The EDPB clarified "large scale" through four factors: number of data subjects, volume and variety of data, duration of processing, geographic extent. There is no hard threshold, but rough indicators:
| Indicator | Probably not large scale | Probably large scale |
|---|---|---|
| Data subjects | Under 100k | Over 1M |
| Geographic | One country | Multi-region |
| Categories | Operational data | Behavioral profiling |
| Duration | Per-session | Persistent profile |
The three options when you do need one
1. Full-time internal DPO
50-90k EUR/year fully loaded. Worth it only if your data activities are genuinely large-scale and complex.
2. Part-time internal DPO
A senior privacy-aware employee designated formally. Possible if no conflict of interest (cannot be the same person who decides processing purposes).
3. External DPO-as-a-service
Specialized firms in EU offer this for 3-12k EUR/year. Sufficient for SaaS that needs the role but does not need the full-time function.
The most common mistake: hiring an internal DPO to signal compliance maturity, then having that person not have actual authority to challenge product decisions. The role's value comes from independence, not from existence.
Conclusion
Most SaaS do not need a DPO. Those that do need one have three cost-graded options. The decision criteria are mechanical: read Article 37, run the test, decide.
To generate a privacy policy that includes the DPO contact section (or explains why a DPO is not required for your SaaS), try Termerly free.
