Short Reads

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

Stibbe - Will all companies be required to appoint a DPO?

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

22.03.2018 EU law

Only 9 more weeks to go before the GDPR becomes fully effective. Preparing your company for the application of this new regulation requires a correct understanding of its principles. Each week, we highlight one particular misconception regarding the interpretation of the GDPR.

Will all companies be required to appoint a data protection officer?

It is a common misunderstanding that all companies will be required by the GDPR to appoint a Data Protection Officer (“DPO”).

The designation of a DPO is only mandatory and thus only truly required for entities that act as a data controller or data processor in the three specific cases which have been described: (i) if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) if the core activities (i.e., the primary activities or key operations that are necessary for achieving the goals of the controller or processor) consist of processing operations that require regular and systematic large-scale monitoring of data subjects, e.g., businesses that engage in profiling or tracking of online behaviour; or (iii) if the core activities consist of processing on a large scale the so-called “sensitive” categories of personal data, such as health data, biometric data, data revealing ethnic origin or religious beliefs, and information relating to criminal convictions. Additionally, Member State law may require the mandatory appointment of a DPO in other situations as well, as is already the case for Germany for example.

In other cases than those referred to above, the voluntary appointment of a DPO is merely recommended, thus not mandatory. Moreover, if an organization designates a DPO voluntarily, the requirements under the GDPR will fully apply to his or her designation, position, and tasks as if the designation were mandatory. This needs to be considered when deciding to appoint a DPO voluntarily.

 

Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.

Team

Related news

21.10.2021 EU law
Law and Artificial Intelligence (part three): towards a European perspective in intellectual property? The European Parliament goes one step further…

Articles - For the European Union, it is time to have uniformed rules on artificial intelligence (AI). On 20 October 2020, the European Parliamentary Assembly adopted, on the basis of three reports, three resolutions on AI from three different perspectives. These resolutions have recently (on 6 October 2021) been published in the Official Journal.

Read more

21.10.2021 EU law
Law and Artificial Intelligence (part one): towards a European civil liability regime? The European Parliament goes one step further…

Articles - For the European Union, it is time to have uniformed rules on artificial intelligence (AI). On 20 October 2020, the European Parliamentary Assembly adopted, on the basis of three reports, three resolutions on AI from three different perspectives. These resolutions have recently (on 6 October 2021) been published in the Official Journal.

Read more

21.10.2021 EU law
Law and Artificial Intelligence (part two): towards a European framework in line with the ethical values of the EU? The European Parliament goes one step further…

Articles - For the European Union, it is time to have uniformed rules on artificial intelligence (AI). On 20 October 2020, the European Parliamentary Assembly adopted, on the basis of three reports, three resolutions on AI from three different perspectives. These resolutions have recently (on 6 October 2021) been published in the Official Journal.

Read more