Does my company/organisation need to have a Data Protection Officer (DPO)?

estimated reading time: 1 min

Answer

Your company/organisation needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

Public administrations always have an obligation to appoint a dpo (except for courts acting in their judicial capacity).

The dpo may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A dpo can be an individual or an organisation.

Examples

DPO mandatoryA dpo is mandatory for example when your company/organisation is:

• a hospital processing large sets of sensitive data;
• a security company responsible for monitoring shopping centres and public spaces;
• a small head-hunting company that profiles individuals.

DPO not mandatoryA dpo isn’t mandatory if:

• you’re a local community doctor and you process personal data of your patients
• you have a small law firm and you process personal data of your clients

References

• EDPB Guidelines on Data Protection Officers ('DPOs')
• Articles 37, 38 and 39 and Recital (97) of the GDPR