Your company/organisation needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
Public administrations always have an obligation to appoint a DPO (except for courts acting in their judicial capacity).
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.
A DPO is mandatory for example when your company/organisation is:
- a hospital processing large sets of sensitive data
- a security company responsible for monitoring shopping centres and public spaces
- a small head-hunting company that profiles individuals
DPO not mandatory
A DPO isn’t mandatory if:
- you’re a local community doctor and you process personal data of your patients
- you have a small law firm and you process personal data of your clients
- Article 29 Working Party Guidelines on the Data Protection Officers, 5 April 2017 (WP 243)
- Articles 37 to 39 and Recital (97) of the GDPR