The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
The appointment of a DPO must, of course, be based on her personal and professional qualities, but particular attention must be paid to her expert knowledge of data protection. A good understanding of the way the organisation operates is also recommended.
Under the GDPR a company/organisation needs to appoint a DPO, whether it’s a controller or a processor if its core activities involve the processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for behavioural advertising.
Public administrations always must appoint a DPO (except for courts acting in their judicial capacity).
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contract. A DPO can be an individual or an organisation.
A DPO is mandatory for example when your company/organisation is:
- a hospital processing large sets of sensitive data;
- a security company responsible for monitoring shopping centres and public spaces;
- a small head-hunting company that profiles individuals.
DPO not mandatory
A DPO isn’t mandatory if:
- you’re a local community doctor and you process personal data of your patients
- you have a small law firm and you process personal data of your clients