Who is required to appoint a Data Protection Officer (DPO) under the GDPR?

A Data Protection Officer (DPO) is the person responsible for monitoring a company’s data management and processing activities, providing information and professional advice to the organization, ensuring internal rules comply with data protection regulations, collaborating with supervisory authorities, and acting as a liaison and intermediary.

The GDPR defines three situations in which appointing a DPO is mandatory:

  1. Public authorities or bodies (except courts) conducting data management and processing activities.

    This includes national, regional, and local authorities as well as companies performing public tasks (e.g., transport companies, energy companies, public service broadcasters, etc.).

  2. If the organization’s primary activity involves data processing operations that, by their nature, scope, and/or purpose, require the regular and systematic large-scale monitoring of individuals.

    Data processing is not considered a primary activity only when explicitly aimed at it, but also when it is indispensable for the main activity (e.g., hospitals need to handle patient data to perform healthcare tasks, security companies conduct surveillance in public areas via cameras, etc.).

  3. If the primary activities of the data controller or processor involve the large-scale processing of special categories of personal data.

    Large-scale processing includes operations that handle a significant volume of personal data at regional, national, or supranational levels, impacting a large number of individuals or involving data that poses high risks due to its sensitivity. Factors to consider include the number of individuals affected, the amount and type of data, the duration of processing, and the geographical scope. Examples of large-scale processing include hospitals, healthcare institutions, public transport companies, banks, insurance companies, telecommunications companies, etc.

    Processing of personal data is not considered large-scale if it concerns a specific specialist doctor’s patients or an individual lawyer’s clients.

Note: DPOs are not personally liable for non-compliance with the GDPR. The GDPR clarifies that it is the responsibility of the data controller or processor to ensure and demonstrate that processing is carried out in compliance with GDPR regulations.