Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Guidelines on Data Protection Officers (‘DPOs’) 

Section 2.1. Mandatory designation

Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:

a) where the processing is carried out by a public authority or body;

b) where the core activities of the controller or the or processor consist of   processing operations, which require regular and systematic monitoring of data subjects on large scale;or 

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

In the following subsections, the WP29 provides guidance with regard to the criteria and terminology used in Article 37(1).

Document internal analysis

Unless it is obvious that an organisation is not required to designate a DPO, the WP29 recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly.

This analysis is part of the documentation under the accountability principle. It may be required by the supervisory authority and should be updated when necessary, for example if the controllers or the processors undertake new activities or provide new services that might fall within the cases listed in Article 37(1).

Voluntary designation of a DPO

When an organisation designates a DPO on a voluntary basis, the requirements under Articles 37 to 39 will apply to his or her designation, position and tasks as if the designation had been mandatory.

Nothing prevents an organisation, which is not legally required to designate a DPO and does not wish to designate a DPO on a voluntary basis to nevertheless employ staff or outside consultants with tasks relating to the protection of personal data. In this case it is important to ensure that there is no confusion regarding their title, status, position and tasks. Therefore, it should be made clear, in any communications within the company, as well as with data protection authorities, data subjects, and the public at large, that the title of this individual or consultant is not a data protection officer (DPO).

The DPO, whether mandatory or voluntary, is designated for all the processing operations carried out by the controller or the processor.

author avatar
Richard V

You may also like

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3  Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2  Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1  Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …