Do I need to appoint a Data Protection Officer (DPO)?


This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

A word of warning: this is a complex topic. Consider getting professional legal advice.

The short and confusing version

If systematic and regular data processing is one of the core activities of your company, you need to appoint a DPO.

If you do data processing on a large scale, you need to appoint a DPO.

Otherwise, you might need to appoint a DPO, but it’s possible that you’ll get away without one.

The long and even more confusing version

According to GDPR, the designation of a DPO is an obligation if:

i) the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
ii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences; or
ii) the processing is carried out by a public authority or body (irrespective of what data is being processed).

If any of those conditions is met, you will need to appoint DPO.

In addition, Union or Member State law may require the designation of DPOs in other situations.

In order to understand does any of those listed situations mean you, we will have to explain terms as “core activities”, “regular and systematic monitoring” and “large scale”. Luckily, the Article 29 Working Party (an independent advisory) has given some leads on how to understand these terms. We will give you a short overview what WP 29 has stated on the matter.

Core activities

Core activities are considered as the key activities to achieve the controller’s or processor’s objectives and set purposes. This includes all activities where the processing of data is an inseparable part of the controller’s or processor’s activity. For example, in the case of a security firm monitoring large public areas via cameras, data processing is an essential part of providing their security service. Therefore, they would have to appoint a DPO.

Supporting activities that are inseparable and essential but are not the main activities of the controller/processor are considered ancillary activities. Examples of ancillary activities would be processing personal data for paying salaries or providing essential IT support for a company. If your processing of personal data is only ancillary, you don’t need a DPO.

Regular and systematic monitoring

WP 29 has said that regular and systematic monitoring includes all forms of tracking and profiling on the internet (that means also for the purposes of behavioural advertising). However, WP 29 states that monitoring is not restricted to online environment.

WP 29 brings out following examples of regular and systematic monitoring:

Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.”

Regular is interpreted as something:

  1. ongoing or occurring at particular intervals for a particular period;
  2. recurring or repeated at fixed times;
  3. constantly or periodically taking place.

Systematic is interpreted as something:

  1. occurring according to a system;
  2. pre-arranged, organised or methodical;
  3. taking place as part of a general plan for data collection;
  4. carried out as part of a strategy.

Large scale

WP 29 has listed some factors to be considered when determining whether the processing is carried out on a large scale:

  1. the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity.

As examples of large scale processing WP 29 has brought out the following situations:

  1. processing of patient data in the regular course of business by a hospital;
  2. processing of travel data of individuals using a city’s public transport system;
  3. processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities;
  4. processing of customer data in the regular course of business by an insurance company or a bank;
  5. processing of personal data for behavioural advertising by a search engine
  6. processing of data (content, traffic, location) by telephone or internet service providers.

You can find WP 29 guidelines on DPOs here.

So, if one of the core activities of your business is processing personal data and you are doing it either “regulary and systematically” or on a large scale, you need to appoint a DPO.

Maarja Lehemets

Lawyer @ Triniti