The data protection officer (DPO)
Not every company needs a DPO, but Article 37 makes one mandatory in three cases: a public authority; where core activities consist of regular and systematic monitoring of individuals on a large scale; or where core activities consist of processing special categories on a large scale. Member state law can add more (Germany: 20+ employees on automated processing). The WP29 defined core activities (inextricable part of the activity, not necessarily data analytics) and large scale (by number of data subjects, not company size). The DPO acts independently, reports to the highest management level, must not be dismissed/penalised for doing the job properly, and may hold other roles only without a conflict of interest. A group may share one DPO if easily accessible to each entity. The role may be filled by an employee or a third party.
| Trigger | Notes |
|---|---|
| Processing carried out by a PUBLIC AUTHORITY | DPOs are mandatory in the public sector |
| CORE ACTIVITIES = regular and systematic MONITORING of individuals on a LARGE SCALE | Includes all internet tracking/profiling, but not limited to the online environment |
| CORE ACTIVITIES = processing SPECIAL CATEGORIES on a LARGE SCALE | Large scale judged by number of data subjects, not company size |
| Required by MEMBER STATE LAW | Germany: 20+ persons on automated processing; Spain lists sectors (insurance, financial, educational) |
| Task | Detail |
|---|---|
| Inform and advise | Advise the company and its employees of their GDPR obligations |
| Monitor compliance | Monitor GDPR/policy compliance - manage internal activities, train staff, conduct internal audits |
| Advise on DPIAs | Provide advice on the DPIA where requested and monitor its performance |
| Cooperate with the DPA | Cooperate with the supervisory authority |
| Contact point | Act as the contact point for the DPA on processing and any other matter |
- Position: must report to the highest management level; have access to data processing operations; have support and resources to maintain skills
- Independence: must operate independently; not be dismissed or penalised for performing tasks properly; other roles allowed only without a conflict of interest
- Tenure: no minimum length; fixed terms and dismissal for performance/conduct are allowed, subject to local labour law
- Group: a group of undertakings may appoint a single DPO, provided easily accessible to each entity
- Who: may be an employee or a third-party service provider; the GDPR sets no specific qualifications but expects expert knowledge of data protection law and practices
Core activities are 'key operations necessary to achieve the goals' - the org need not be in data analytics, only that processing is an inextricable part of its activity. Large scale is judged by the number of data subjects, not company size: a tiny company with a huge customer base can still be large-scale.