Does your organisation need to appoint a Data Protection Officer (DPO)?

September 29, 2023

The question whether your organization needs to appoint a Data Protection Officer (“DPO”) should not be left unanswered, because being obliged to appoint a DPO and not doing so would lead to a violation of the GDPR. This blog will help you get the right answer.

First things first. Make sure you know what you are looking for by understanding what a DPO is. Many job descriptions in the market look like a DPO but are not the same, such as “privacy officer”, “privacy champion”, “privacy expert”, “privacy lead”, etc. In brief, you can imagine a DPO to be a mandatory, independent, and personified in-house supervisory authority, which informs, advises and monitors GDPR-compliance of your organisation.

Alright, so you know what a DPO is and does. But you still want to know whether you need to appoint a DPO for your organisation. Some people like long elaborations and others only the results. If you are in a rush, read only the questions/answers to get the results, and for more elaboration read the explanations below.

Before you check the boxes, make sure you understand and answer for yourself two things, namely what the core activity of your organisation is and whether it is on large scale, because the assessment of whether you need to appoint a DPO pretty much depends on these 2 criteria.

Core activity. Is the primary activity of your business/operation and not only an ancillary activity. Every activity that is inextricably linked to the primary activity is part of the core activity. Example.[1]: processing health records is inextricably linked to provide health care, and thus forms part of the core activity of a hospital. However, necessary support functions, such as HR or IT activities, do not reach the threshold of being inextricably linked to the key operation, and are considered ancillary activities. Answer now for yourself what your organization’s core activity is and move on to the next paragraph.

Large scale. Large scale is not defined in the law, but it basically asks you: “Do you process a lot or little personal data?”, “Do you process it for a long time or for a short time?”, “Do you process it from many or few people?”. Well, how should you know where to draw the line? In essence, no one really knows exactly, it rather depends on how you reasonably argument taking the following established criteria into consideration:

According to WP29[2] you need to consider the following criteria in order to know whether you process personal data on a large scale:

  • Specific Number of data subjects
  • Proportion of relevant population
  • Volume of data
  • Range of different data items
  • Duration/permanence of processing activity
  • Geographical extent of processing activity

WP29[3] provides the following examples where large-scale processing can be assumed:

  • Processing of patient data by a hospital
  • Processing of travel data of public transport system
  • Processing of real time geolocation data of customers of an international fast-food chain for statistical purposes
  • Processing of customer data in the regular course of business by an insurance company or a bank
  • Processing of personal data for behavioural advertising by a search engine
  • Processing of data (content, traffic, location) by telephone or internet service providers 

WP29[4] draws up the following examples where large scale processing is NOT assumed:

  • Processing of patient data by an individual physician
  • Processing of personal data relating to criminal convictions and offences by an individual lawyer

Answer now for yourself whether your organisation processes personal data on large scale or not.

You should be now well equipped to answer the following questions about whether you need a DPO or not.

Question 1: Do you process personal data as a public authority or body?
Answer YES: You need to appoint a DPO.
Answer NO:
Go to question 2.
Explanation: Courts acting in their judicial capacity do not fall under this category.

Question 2: Does your organisation’s core activity consist in regular and systematic monitoring of individuals on a large scale?
Answer YES: You need to appoint a DPO.
Answer NO:
Go to question 3.
Explanation: Regular and systematic monitoring
refers to monitoring performed according to a system or strategy, which occurs constantly or repeatedly. (Both off- and/or online). WP29[5] draws up the following examples where regular and systematic monitoring can be assumed:

  • Operating a telecommunications network
  • Providing telecommunications services
  • Email retargeting
  • Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering)
  • Location tracking, for example, by mobile apps
  • Loyalty programs
  • Behavioural advertising
  • Monitoring of wellness, fitness and health data via wearable devices
  • Closed circuit television
  • Connected devices e.g. smart meters, smart cars, home automation, etc.

Question 3: Does your organisation’s core activities consist in large-scale processing of special categories of personal data?
Answer YES: You need to appoint a DPO.
Answer NO:
Go to question 4.
Explanation: 
Processing special categories of personal data concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. This is an exhaustive list but allows a broad interpretation.

Question 4: Does your organisation’s core activities consist in large-scale processing of data relating to criminal convictions and offences?
Answer YES: You need to appoint a DPO.
Answer NO:
You do not need to appoint a DPO.
Explanation:
What constitutes criminal data will in most cases be determined by national legislation. It relates, however, to criminal convictions, offences, or related security measures.

If the result of answering these 4 questions is that you need to appoint a DPO then you should do so. If the result is that you do not need to appoint a DPO, please don’t lean back yet, because there is no rule without exception. There are some criteria you still need to consider. Each EU member state might provide more specific requirement whether you need to appoint a DPO.

In case you are not obliged to appoint a DPO, you are nevertheless allowed to appoint a DPO voluntarily. Consider this option, as it might be a great benefit for your organization towards GDPR compliance. Keep however in mind that for a voluntarily appointed DPO the same rights and duties apply as to a mandatory DPO.

_______________________________________________________________________________________________________________________________________________________________

[1] WP29, Guidelines on DataProtection Officers ('DPOs'), at page 6-7.

[2] WP29, Guidelines on DataProtection Officers ('DPOs'), at page 7.

[3] WP29, Guidelines on DataProtection Officers ('DPOs'), at page 8.

[4] WP29, Guidelines on DataProtection Officers ('DPOs'), at page 8.

[5] WP29, Guidelines on Data Protection Officers ('DPOs'), at page 8-9.

Download
Mateus
Consultant