Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Categories Blog, Business, Design / Branding, Free Data Protection Resources
Date September 7, 2020

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Section 5.1 Which organisations must appoint a DPO?

The designation of a DPO is an obligation:

if the processing is carried out by a public authority or body (irrespective of what data is being processed)
if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences

Note that Union or Member State law may require the designation of DPOs in other situations as well. Finally, even if the designation of a DPO is not mandatory, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts. When an organisation designates a DPO on a voluntary basis, the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.

Source: Article 37 (1) of the GDPR