A Data Protection Officer (DPO) is responsible for any aspect of data privacy within an organization, from educating and training, to representing the organization when it comes to Supervisory Authorities (SAs) and making sure that the organization is up-to-date with legal requirements and that the organization’s data processing is compliant with data protection laws.
A DPO does not have to be a certified lawyer but need to have expertise in data protection laws. Also, a DPO must avoid any other positions in the organization that might create a conflict of interest.
1. Where the processing is carried out by a public authority or body.
2. Where the core activities consist of regular and systematic monitoring of data subjects (people) on a large scale.
3. Where the core activities of the business consist of processing large scale special categories of data (e.g. genetic data, religious, sexual, political orientations etc.) or personal data relating to criminal convictions and offences.
1. A hospital processes medical data (which is sensitive data) as part of their core activity, to provide health care, they need to appoint a DPO.
2. A security company monitors public spaces such as a mall. They process large amounts of personal data. This is their core activity; they therefore need a DPO. In essence, if the business model is built on processing personal data, then they need a DPO.
There is no specific definition of what large scale means. This can be regulated at a national level (so each EU country can determine what they consider large scale). We would therefore recommend that you contact the Data Protection Authority (DPA) in your country for further information or the EU Data Protection Authority if you are processing data across countries.
This term is also not defined in the GDPR, again we recommend contacting your national Data Protection Authority (DPA) or access your countries national law. You can find contact information of DPAs in Europe here.