DPO (data protection officer) | GDPR FAQs

Speak to a GDPR expert

If your question has not been answered, get in touch using one of the methods below to speak with one of our GDPR experts.

Which organisations must appoint a DPO (data protection officer) under the GDPR?

A DPO must be appointed:

Where the processing is carried out by a public authority or body;
Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
Where core activities involve large-scale processing of special category data or data relating to criminal convictions or offences.

Organisations that are not obliged to appoint a DPO can nevertheless do so if they wish. The role has the same legal status whether the appointment is voluntary or mandatory. See Articles 37, 38 and 39.

Find out more about DPOs

Can organisations share a DPO (data protection officer)?

Yes – and you can outsource the role to an external provider if you lack the necessary knowledge and experience.

Find out more about outsourcing the DPO role

GDPR FAQs – DPO (data protection officer)

Speak to a GDPR expert

Which organisations must appoint a DPO (data protection officer) under the GDPR?

Can organisations share a DPO (data protection officer)?

Speak to a GDPR expert