The Role of the Data Protection Officer
Under the GDPR, it is a requirement for certain data controllers and data processors to designate a DPO for their organisations. The designated DPO will play a leading and crucial role in implementing an effective data protection framework that complies with the new requirements as set out under the GDPR.
The Article 29 Working Party (WP29) adopted guidance on the role of the Data Protection Officer (DPO) under GDPR. What are the key criteria around the mandatory designation of a DPO? The Article 29 Working Party (WP29) brings clarifications.
Under Article 37(1) of the GDPR, data controllers and processors must designate a DPO in any case where:
- The processing is carried out by a public authority or body except for courts acting in their judicial capacity;
- The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;
- The core activities of the controller or processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.