Companies need to appoint a Data Protection Officer (DPO) if the company
- is a public authority,
- carries out personal data processing on a large scale regularly and systematically,
- engages in large scale processing of sensitive personal data.
If you do none of these activities, then you do not need to appoint a DPO.