mail DUTCH  

The GDPR contains several provisions regarding the designation of a ‘Data Protection Officer’ (hereafter: ‘DPO’). Article 37(1) of the GDPR describes three specific cases when the designation of a DPO is mandatory. It is however important to realize that – according to article 37(4) of the GDPR - EU member states may define additional situations in which the designation of a DPO is required. This means it is prudent to take note of the specific legislation in the specific Member State in which the processing activities are carried out. 


Article 37(1) GDPR


According to the GDPR the designation of a DPO is required in three specific cases:

  • where the processing is carried out by a public authority or body;
  • where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
  • where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.



‘Core Activities’
‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals. When processing data forms an inextricable part of the activity (gathering personal information to provide proper healthcare by hospital; gathering camera footage in a mall to provide security) this also is referred to as ‘core activities’. However, nearly all organizations carry out certain IT activities where personal data is involved like collecting data from employees. These activities are not regarded to be part of the core activities as referred to in art. 37.


‘Regular and systematic monitoring’
‘Regular and systematic monitoring’ includes all forms of tracking and profiling on the internet, including monitoring with the intention of behavioral advertising.


‘Regular’ means:

  • Ongoing or occurring at certain intervals for a defined period;
  • Recurring or repeated at fixed times;
  • Constantly or periodically taking place;

‘Systematic’ means:

  • Occurring according to a system;
  • Pre-arranged, organized or methodical;
  • Taking place as part of a general plan for data collection;
  • Carried out as part of a strategy.

‘Large scale’
The following factors are to be considered when determining whether the processing is carried out on a large scale:

  • The number of data subjects concerned (specific number or portion of the relevant population;
  • The volume of data and/or range of different data items being processed;
  • The duration, or permanence, of the data processing activity;
  • The geographical extent of the processing activity.

Liability DPO
According to the Guidelines on Data Protection Officers of the Article 29 WP, DPO’s are not personally responsible in case the controller / processor is non-compliant with the GDPR. It is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (art. 24 GDPR). 


Accessibility DPO
The DPO must be accessible with respect to data subjects (art. 38 (4)), the supervisory authority and internally within the organization of the controller of processor. To ensure accessibility:

  • the contact details of the DPO are available in a clear and accessible form (postal address, dedicated telephone number, dedicated mail address). These contact details must be published by the controller or processor (art. 37(7));
  • the DPO must be able to efficiently communicate with data subjects and cooperate with the supervisory authorities and therefore communication must take place in the language or languages used by the supervisory authorities and the data subject;
  • the controller or processor must communicate the contact details of the DPO to the relevant supervisory authorities.

The DPO is bound by secrecy of confidentiality concerning the performance of his or her tasks. This secrecy does not prohibit the DPO from contacting and seeking advice from the supervisory authority.


Position of the data protection officer (art. 38)
Involvement of the DPO in all issues relating to data protection
The controller and the processor shall ensure that the DPO will be involved, properly and in a timely manner (earliest stage possible), in all issues which relate to the protection of personal data.

  • The DPO is invited to participate regularly in meetings of senior and middle management;
  • The presence of the DPO is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate service.
  • The opinion of the DPO must always be given due weight. In case of a disagreement the WP29 recommends documenting the reasons for not following the DPO’s advice.
  • The DPO must be promptly consulted once a data breach or another incident occurred.

Necessary resources
The controller or processor must support its DPO by providing resources necessary to carry out its tasks (so that the organization can comply) and access to personal data and processing operations, and to maintain his or her expert knowledge. For instance:

  • Active support of the DPO’s function by senior management;
  • Sufficient time for DPO’s to fulfill their duties;
  • Adequate support in terms of financial resources, infrastructure and staff (where appropriate);
  • Access to other services (human resource, legal, IT, security, etc.);
  • Continuous training;

Autonomy and independence
Controllers and processors are required to ensure that the DPO does not receive any instructions regarding the exercise of his or her tasks. Whether or not the DPO is an employee of the controller, the DPO should be in the position to perform his or her duties and tasks in an independent manner.
The DPO must not be instructed how te deal with a matter, what results should be achieved, how to investigate a complaint or whether to consult the supervisory authority.
The controller or processor does however remain responsible for compliance with data protection law and must be able to demonstrate compliance.


Dismissal or penalty for performing DPO tasks
DPO’s should not be dismissed or penalized by the controller or the processor for performing their tasks (art. 38(3)). Penalties may vary in form and could consist of absence or delay of promotion, prevention from career advancement, denial from benefits that other employees receive. A threat to carry out a penalty is sufficient as long as it is used to penalize the DPO on grounds related to his or her DPO activities.
A DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO.


Conflict of interests
The DPO should not perform any tasks that may lead to a conflict of interests with his tasks as DPO. A DPO cannot hold a position within the organization that leads him or her to determine the purpose and the means of the processing of data. Conflicting positions for a DPO may be senior management positions (chief executive, chief operating, chief financial, head of marketing, head of human resource management).


Expertise of de DPO (art. 37 par. 5)
The DPO shall be designated on the basis of professional qualities and expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.
Please consider whether the controller / processor is subject to the GDPR.


Tasks of the data protection officer (art. 39)
Monitoring compliance with the GDPR
Article 39 (1)(b) entrusts the DPO’s with the duty to monitor compliance with the GDPR and to assist the controller or processor to monitor internal compliance with the GDPR. These monitoring tasks can consist of:

  • Collecting information to identify processing activities;
  • Analyze and check the compliance of processing activities;
  • Inform, advise and issue recommendations to the controller or the processor.

The DPO’s role in a data protection impact assessment
It is the task of the controller to carry out a data protection impact assessment (‘DPIA’) when necessary. According to art. 35(2) the controller shall seek advice of the DPO when carrying out a DPIA. The DPO should provide advice where requested as regards the DPIA and monitor its performance.
If the controller disagrees with the advice of the DPO, the DPIA documentation should specifically justify in writing why the advice has not been taken into account.


DPO’s role in record keeping
The controller or processor are required to maintain a record of processing operations under its responsibility or maintain a record of all categories of processing activities carried out on behalf of a controller (art. 30(1) and (2)).
It is however allowed that the controller or processor assigns the DPO with the task of maintaining the record of processing operations under the responsibility of the controller.
The record required to be kept under art. 30 should also be seen as a tool allowing the controller and the supervisory authority, upon request, to have an overview of all personal data processing activities an organization is carrying out. It is a prerequisite for compliance and an effective accountability measure.

  Update: 071817