The primary role of the Data Protection Officer (DPO) is to ensure that the organization processes the personal data of its employees, customers, suppliers or any other persons (also called data subjects) in accordance with applicable data protection regulations. The requirement to appoint a DPO is found in the General Data Protection Regulation (EU).

The DPO ensures that controllers and data subjects are informed of their rights and obligations regarding personal data. It also has responsibilities:

• For maintaining a register of personal data processing operations;
• For conducting a DPIA (Data Protection Impact Assessment);
• Providing guidance on compliance with and interpretation of personal data protection legislation;
• Responding to enquiries and complaints from data subjects and regulatory authorities regarding the processing of personal data.

You need to appoint a DPO, whether you are a data controller or a data processor, if your main activity involves large-scale processing of personal data or large-scale, regular and systematic monitoring of individuals. In this respect, monitoring the behavior of individuals includes all forms of online tracking and profiling, including for the purpose of behavioral advertising.

Public administrations are always obliged to appoint a DPO.

The DPO may be a full-time employee of the company or may be hired externally on a contract basis. The DPO can be an individual or an organization. A few practical examples of when to appoint a DPO.

The presence of a DPO is compulsory if you:

• A hospital that processes large sets of vulnerable data;
• A security company responsible for the surveillance of shopping centers and public places;
• A small recruitment company that does profiling.

A DPO is not compulsory if:

• You are a local doctor and you handle your patients’ personal data;
• You have a small law firm and you handle your clients’ personal data.

The Data Protection Officer should be independent, as well as an expert in data protection, adequately resourced and only report to senior management. The DPO can either be an in-house employee or outsourced.

The regulator does not require the DPO to have any specific qualifications, but the DPO is expected to have a sufficient level of knowledge in the area of personal information protection. Such proof may be a CIPP/E certificate.

One DPO can represent several organizations at once.