When is a data protection officer mandatory?


The NRC recently headlined 'Shortage of privacy experts in thousands of organizations'.[1] The article states that by no means all organizations which are obliged to do so have indeed appointed a Data Protection Officer (hereinafter 'DPO'). Despite the fact that the General Data Protection Regulation (hereinafter "the Regulation") entered into force on 25 May 2018. The Regulation has replaced the current Privacy Directive and the corresponding Personal Data Protection Act. When is an organization obliged to appoint a DPO?

Not all organizations are obliged to appoint a DPO. Article 37 of the Regulation requires organizations to appoint a DPO in three situations. The appointment of a DPO is mandatory if: (i) the processing of personal data is carried out by a public authority or body (this does not apply to courts in the exercise of their judicial functions); (ii) the controller or processor is primarily responsible for processing personal data which require regular and systematic large-scale observation of data subjects; or (iii) the controller or processor is primarily responsible for large-scale processing of special categories of personal data or data relating to criminal convictions and offences referred to in Article 10 of the Regulation. In addition, EU Member States may require the appointment of a DPO in other situations.

In short, the above means that every public authority which processes personal data has to appoint a DPO. Furthermore, organizations that mainly follow individuals on a large scale should appoint a DPO. The Personal Data Authority cites as an example the profiling of people for, for example, making risk assessments. Finally, organizations that mainly process special personal data on a large scale must appoint a DPO. According to the Personal Data Authority, special personal data should be taken to mean, among other things, data about a person's health, race, political opinion, religious beliefs or criminal record.

In order to answer the question whether a DPO is obliged, it is thus relevant to look, among other things, at the core business of the organization (is the organization primarily engaged in processing (special) personal data?)), the extent to which personal data is processed (is it carried out on a large scale?) and the frequency whereby observation takes place (are the data subjects regularly and systematically observed?). If the appointment of a DPO is mandatory, the DPO must be registered with the Personal Data Authority.

If you have any questions about the Regulation, such as the mandatory appointment of a DPO in some situations, please feel free to contact us.

[1] W. van Loon, ‘Tekort aan Privacy-experts bij duizenden organisaties’, in NRC Next 16 mei 2018.