Article 37 of the General Data Protection Regulation entails:

If your company processes special (i.e. health data, religious data, racial data, criminal offences, etc) categories of information on a large scale you must appoint one and communicate the details of that Officer to the authorities. Article 37 of the General Regulation of Data Protection lays down under what conditions exactly you need to appoint a DPO.

You may appoint an external data protection officer. That data protection officer can work on the basis of a free lance contract. If you would like the discuss the possibility of us becoming your DPO, do contact us. We are the DPO´s for healthcare  and insurance companies and as such have experience in the protection of special categories of sensitive data.