Short Reads

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

Stibbe - Will all companies be required to appoint a DPO?

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

22.03.2018 EU law

Only 9 more weeks to go before the GDPR becomes fully effective. Preparing your company for the application of this new regulation requires a correct understanding of its principles. Each week, we highlight one particular misconception regarding the interpretation of the GDPR.

Will all companies be required to appoint a data protection officer?

It is a common misunderstanding that all companies will be required by the GDPR to appoint a Data Protection Officer (“DPO”).

The designation of a DPO is only mandatory and thus only truly required for entities that act as a data controller or data processor in the three specific cases which have been described: (i) if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) if the core activities (i.e., the primary activities or key operations that are necessary for achieving the goals of the controller or processor) consist of processing operations that require regular and systematic large-scale monitoring of data subjects, e.g., businesses that engage in profiling or tracking of online behaviour; or (iii) if the core activities consist of processing on a large scale the so-called “sensitive” categories of personal data, such as health data, biometric data, data revealing ethnic origin or religious beliefs, and information relating to criminal convictions. Additionally, Member State law may require the mandatory appointment of a DPO in other situations as well, as is already the case for Germany for example.

In other cases than those referred to above, the voluntary appointment of a DPO is merely recommended, thus not mandatory. Moreover, if an organization designates a DPO voluntarily, the requirements under the GDPR will fully apply to his or her designation, position, and tasks as if the designation were mandatory. This needs to be considered when deciding to appoint a DPO voluntarily.

 

Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.

Team

Related news

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

21.05.2019 EU law
Part one - GDPR and Public Law - Applicability of GDPR to public bodies

Articles - Since the GDPR became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and Public Law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the applicability of GDPR to public bodies.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring