Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Paragraph 2.1.1  Public Authority or Body

The GDPR does not define what constitutes a ‘public authority or body’. The WP29 considers that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law. In such cases, the designation of a DPO is mandatory.

A public task may be carried out, and public authority may be exercised13not only by public authorities or bodies but also byother natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State,public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodiesfor regulated professions.

In these cases,data subjects may be in a very similar situation to when their data are processed by a public authority or body. In particular, data can be processed for similar purposes and individuals often havesimilarly little or no choice over whether and how their data will be processedand may thus require the additional protectionthat the designation of a DPO can bring.

Even though there is no obligation in such cases, the WP29 recommends, as a good practice, thatprivate organisations carrying out public tasks or exercising public authoritydesignate a DPO. Such a DPO’s activity covers all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database).