Article 37 GDPR states that the controller shall appoint a Data Protection Officer (DPO) when(a)the processing is carried out by a public authority or body;(b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (included health data).
Therefore, if your company process data on a large scale or there is regular and systematic monitoring of data subjects on a large scale (i.e. an app tracking Covid infections) you should appoint a DPO. You need to consider the scale of processing rather than the dimension of the company. Large scale is not defined by the GDPR, however, the former Working Party (a group study established the EU Commission) defined few examples of large scale (https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf):
processing of patient data in the regular course of business by a hospital
processing of travel data of individuals using a city’s public transport system (e.g. tracking viatravel cards)
processing of real time geo-location data of customers of an international fast food chain forstatistical purposes by a processor specialised in these activities
processing of customer data in the regular course of business by an insurance company or a bank
processing of personal data for behavioural advertising by a search engine
processing of data (content, traffic, location) by telephone or internet service providers