Short Reads

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

Stibbe - Will all companies be required to appoint a DPO?

Countdown 9 weeks until GDPR : Will all companies be required to appoint a data protection officer?

22.03.2018 EU law

Only 9 more weeks to go before the GDPR becomes fully effective. Preparing your company for the application of this new regulation requires a correct understanding of its principles. Each week, we highlight one particular misconception regarding the interpretation of the GDPR.

Will all companies be required to appoint a data protection officer?

It is a common misunderstanding that all companies will be required by the GDPR to appoint a Data Protection Officer (“DPO”).

The designation of a DPO is only mandatory and thus only truly required for entities that act as a data controller or data processor in the three specific cases which have been described: (i) if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) if the core activities (i.e., the primary activities or key operations that are necessary for achieving the goals of the controller or processor) consist of processing operations that require regular and systematic large-scale monitoring of data subjects, e.g., businesses that engage in profiling or tracking of online behaviour; or (iii) if the core activities consist of processing on a large scale the so-called “sensitive” categories of personal data, such as health data, biometric data, data revealing ethnic origin or religious beliefs, and information relating to criminal convictions. Additionally, Member State law may require the mandatory appointment of a DPO in other situations as well, as is already the case for Germany for example.

In other cases than those referred to above, the voluntary appointment of a DPO is merely recommended, thus not mandatory. Moreover, if an organization designates a DPO voluntarily, the requirements under the GDPR will fully apply to his or her designation, position, and tasks as if the designation were mandatory. This needs to be considered when deciding to appoint a DPO voluntarily.

 

Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.

Team

Related news

20.09.2022 EU law
Launch of Metaverse blog series

Articles - Stibbe launches a new blog series focusing on the legal challenges of the Metaverse. In our upcoming blog posts, we will discuss the legal challenges of NFTs, crypto-assets, Metaverse platforms, crypto exchanges, DAO, and many more.

Read more

28.07.2022 NL law
Zuiver commercieel belang ook gerechtvaardigd belang: Raad van State laat zich er niet over uit

Short Reads - Op 27 juli 2022 heeft de Raad van State bevestigd dat de Autoriteit Persoonsgegevens onterecht een boete van € 575.000 aan VoetbalTV heeft opgelegd. De hoop bestond dat de Afdeling antwoord zou geven op de vraag of de AP terecht of onterecht meent dat een zuiver commercieel belang géén gerechtvaardigd belang kan zijn in de zin van de Algemene Verordening Gegevensbescherming. Het antwoord op deze vraag blijft echter uit.  

Read more

28.07.2022 NL law
Purely commercial interest also a legitimate interest? Council of State leaves the question unanswered.

Short Reads - On 27 July 2022, the Council of State confirmed that the Dutch Data Protection Authority wrongly imposed a €575,000 fine on VoetbalTV. But the Council did not answer the question whether the AP rightly or wrongly believes that a purely commercial interest cannot be a legitimate interest within the meaning of the General Data Protection Regulation.

Read more