In this practical sub-module, small and medium-sized enterprises (SMEs), acting as data controllers and processors, can answer 15 questions to determine whether they are required to appoint a Data Protection Officer (DPO).
If an organization determines that it needs to designate a DPO, further guidance on the appointment, role, and responsibilities of the DPO will be provided in the subsequent practical sub-module,
Task and duties of DPO.
Important Note: The examples listed below illustrate situations in which an organization is obligated to appoint a DPO. If your specific business activity is not mentioned in the questionnaire, it does not imply that you are exempt from the requirement to designate a DPO.
A Data Protection Officer should be appointed (regardless of the number of employees) in the following three specific cases:
A) When processing is carried out by a public authority or body;
B) When the core activities of the controller or processor involve processing operations that require regular and systematic monitoring of data subjects on a large scale; or
C) When the core activities of the controller or processor involve large-scale processing of special categories of data or personal data related to criminal convictions and offenses.
Find out more:
Guidelines on Data Protection Officers ('DPOs') (wp243rev.01).
