Which organisations must appoint a DPO (data protection officer) under the GDPR?
A DPO must be appointed:
- Where the processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of special category data or data relating to criminal convictions or offences.
Organisations that are not obliged to appoint a DPO can nevertheless do so if they wish. The role has the same legal status whether the appointment is voluntary or mandatory. See Articles 37, 38 and 39.
Find out more about DPOs >>
Can organisations share a DPO (data protection officer)?
Yes – and you can outsource the role to an external provider if you lack the necessary knowledge and experience.
Find out more about outsourcing the DPO role >>