Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Section 2.2  DPO of the processor

Article 37 applies to both controllers and processors with respect to the designation of a DPO. Depending on who fulfils the criteria on mandatory designation, in some cases only the controller or only the processor, in other cases both the controller and its processorare required to appoint a DPO (who should then cooperate with each other).

It is important to highlight that even if the controller fulfils the criteria for mandatory designation its processor is not necessarily required to appoint a DPO. This may, however, be a good practice.

Examples:

• A small family business activein the distribution of household appliancesin a single town uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertisingand marketing. The activities of the family business and its customers do not generate processing of data on a ‘largescale’, considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like thissmall enterprise, taken together, are carrying out large-scaleprocessing. The processor must therefore designate a DPO under Article 37(1)(b). At the same time, the family business itself is not under an obligation to designate a DPO.

• A medium-size tile manufacturing company subcontracts its occupational health services to an external processor, which has a large number of similar clients. The processor shall designate a DPO under Article 37(1)(c) provided that the processing is on a large scale. However, themanufacturer is not necessarily under an obligation to designate a DPO.

The DPO designated by a processor also oversees activities carried out by the processor organisation when acting as a data controller in its own right (e.g. HR, IT, logistics).