- Are you a public authority or body?
- Do your core activities require large scale, regular and systematic monitoring of individuals?
- Do your core activities consist of large scale processing of special categories of personal data or data relating to criminal convictions and offenses?
Who needs a Data Protection Officer under GDPR: public authorities or bodies
The first answer to who needs a Data Protection Officer under GDPR is public authorities or bodies. Due to the fact that GDPR does not define “public authority or body”, the Article 29 Working Party guidance states that the definition of this term under national law would apply. This means that public authorities and bodies include national, regional, and local authorities and it can also include a range of other bodies governed by public law. For instance, the UK Freedom of Information Act 2000, provides the following examples of public authorities:
- The Competition and Markets Authority;
- The House of Commons;
- The House of Lords;
- The armed forces of the Crown.
Public authorities or bodies are required to designate a DPO. If you run a business, it is relatively unlikely that you would be required to designate a DPO under this particular clause.
Do your core activities require large scale, regular and systematic monitoring of individuals?
The second instance of who needs a Data Protection Officer under GDPR is organizations whose core activities require large scale, regular and systematic monitoring of individuals. To understand whether you need a DPO under this clause, you need to determine whether you meet the definitions and requirements of the following criteria: “core activities”, “large scale”, and “regular and systematic monitoring.” We will discuss each of these criteria one by one so that you can perform a thorough and accurate analysis of your activities.
First, the monitoring of individuals must be part of your core activities, which is defined by Recital 97 as “primary activities and do not relate to the processing of personal data as ancillary activities.” Core activities are the key operations necessary to achieve your organization’s goals. For example, the processing of surveillance footage would be considered a core activity of a security company. On the other hand, processing the personal data of employees to issue paychecks by a bakery would not be considered a core activity because it is a support function for the organization’s main business.
Second, the monitoring of behavior must be carried out on a large scale to meet the requirements of who needs a Data Protection Officer under GDPR. While there is no hard line number of the amount of individuals that must be affected, the following factors may help you determine whether your processing would be considered as of a large scale:
- The number of data subjects concerned – either as a specific number or as a portion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence, of the data processing activity; and
- The geographical extent of the processing activity.
While determining weather processing is of a large scale should be undertaken on a case by case basis, the following examples can be helpful: processing of patient data by a hospital, processing of travel data by a public transport system, and processing of personal data by a search engine would all be considered large scale. On the other hand, the processing of data by an individual physician or lawyer would probably not qualify as large scale.
Third, your monitoring of the behavior of individuals must be “regular and systematic” for you to be required to appoint a DPO. Recital 24 states that the monitoring of the behavior of data subjects includes all forms of tracking and profiling on the Internet, including for the purposes of behavioral advertising. “Regular” means one or more of the following:
- Ongoing or occurring at particular intervals for a particular period;
- Recurring or repeated at fixed times;
- Constantly or periodically taking place.
In addition, “systematic” means one or more of the following:
- Occurring according to a system;
- Pre-arranged, organised or methodical;
- Taking place as part of a general plan for data collection;
- Carried out as part of a strategy.
If your processing meets all of the criteria above, then your core activities require large scale, regular and systematic monitoring of individuals and thus you are required to appoint a DPO.
Who needs a Data Protection Officer under GDPR: special categories of data or criminal conviction and offense data
The final answer to who needs a Data Protection Officer under GDPR are organizations whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses. GDPR defines special categories of data as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data regarding a person’s sex life or sexual orientation.” If your core activities include the large scale processing of the data enumerated above or data related to criminal convictions and offenses, your activities pose a greater risk to individuals than other types of personal data processing, and thus your organization must appoint a Data Protection Officer.