Why do I need a Data Protection Officer?

The primary role of the Data Protection Officer (DPO) is to ensure that the organization processes the personal data of its employees, customers, suppliers or any other persons (also called data subjects) in accordance with applicable data protection regulations. The requirement to appoint a DPO is found in the General Data Protection Regulation (EU).

The DPO ensures that controllers and data subjects are informed of their rights and obligations regarding personal data. It also has responsibilities:

  • For maintaining a register of personal data processing operations;
  • For conducting a DPIA (Data Protection Impact Assessment);
  • Providing guidance on compliance with and interpretation of personal data protection legislation;
  • Responding to enquiries and complaints from data subjects and regulatory authorities regarding the processing of personal data.

Who is supposed to appoint the DPO?

You need to appoint a DPO, whether you are a data controller or a data processor, if your main activity involves large-scale processing of personal data or large-scale, regular and systematic monitoring of individuals. In this respect, monitoring the behavior of individuals includes all forms of online tracking and profiling, including for the purpose of behavioral advertising.

Public administrations are always obliged to appoint a DPO.

The DPO may be a full-time employee of the company or may be hired externally on a contract basis. The DPO can be an individual or an organization. A few practical examples of when to appoint a DPO.

The presence of a DPO is compulsory if you:

  • A hospital that processes large sets of vulnerable data;
  • A security company responsible for the surveillance of shopping centers and public places;
  • A small recruitment company that does profiling.

A DPO is not compulsory if:

  • You are a local doctor and you handle your patients’ personal data;
  • You have a small law firm and you handle your clients’ personal data.

Who can act as a DPO?

The Data Protection Officer should be independent, as well as an expert in data protection, adequately resourced and only report to senior management. The DPO can either be an in-house employee or outsourced.

The regulator does not require the DPO to have any specific qualifications, but the DPO is expected to have a sufficient level of knowledge in the area of personal information protection. Such proof may be a CIPP/E certificate.

One DPO can represent several organizations at once.

Our advantages

Сопровождение стартапов


We always offer several solutions


Quick and prompt responses in Telegram or Slack. Regular calls in Google Meet/Zoom.

Публикация приложений в Google Play и AppStore - фото 2

of work

Full reporting on the time spent

License Curacao - фото 3


No unexpected costs. All project costs are agreed upfront


Our clients


Mon-Fri 10:00-19:00


Konyskoho St. 55А, Kyiv, Ukraine, 04053


Mon-Fri 10:00-19:00


Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19-315, 10152


Mon-Fri 10:00-19:00

United States

228 Park Ave S PMB 516920 New York, New York 10003-1502 US