According to the GDPR, some companies need to appoint a data protection officer (DPO). A DPO has the task of assisting the company in monitoring and reviewing compliance – for example, by advising and informing about the company’s data protection obligations.
Reading time: 1,5 minutes.
Data protection officer basics
First of all, the GDPR requires that the DPO possesses certain qualifications. Appointing a data protection officer will, for some sectors and companies, be mandatory.
You should report the appointment of a data protection officer to the supervisory authority.
The purpose of the DPO is to assist and advise the company in issues relating to data protection. The responsibilities include, for example, controlling and reviewing compliance. By doing this, the DPO can help to improve procedures and routines when it comes to data protection.
Expert Legal Advice that strengthens your digital strategy
Connect with our experts in technology and data protection law. SaaS. License agreement. Cloud services. Business-minded.
Get a quote today from the business law firm Sharp Cookie Advisors
Duty to appoint a DPO
You need to appoint a data protection officer if any of the following apply:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities include large-scale regular and systematic monitoring of individuals;
- your core activities consist of large-scale processing of special categories of data, or personal data relating to criminal convictions and offences.
Core activities are the company’s primary business activities. This means that if you need to process personal data to fulfil your key goals, this is a core activity. This is distinguished from processing data with other secondary purposes (e.g. for HR or to pay salaries). For example, hospitals will need to appoint a data protection officer due to large-scale processing of sensitive data.
“Regular and systematic monitoring” includes all forms of tracking and profiling online, such as processing data for the sake of behavioural advertising. Monitoring is not limited to the online environment and includes offline activities as well.
Companies that are not required to appoint a data protection officer may still, in some cases, wish to do so. By doing this, they can improve their data protection standards. It is also a good way to communicate with the supervisory authority and individuals. Additionally, appointing a DPO is a way to show compliance and a will to improve your privacy and data protection. If the supervisory authority is considering imposing a fine, having a DPO could go in your favour.
To read about a DPO’s required competencies and areas of responsibility, see our article “Competencies and responsibilities of a Data Protection Officer”.