Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Paragraph 2.1.2  Core Activities

Article 37(1)(b) and (c) of the GDPR refers to the ‘core activities of the controller or processor’. Recital 97 specifies that the core activities of a controller relate to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals.

However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide health care. However, a hospitalcould not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.

As another example, a private security company carries out the surveillance of a number of private shopping centres and public spaces. Surveillance is thecore activity of the company, which in turn is inextricably linked to the processing of personal data. Therefore, this company must also designate a DPO. On the other hand, all organisations carry out certain activities, forexample, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.