Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
– where the processing is carried out by a public authority or body;
– where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
– where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
In other cases, appointing a DPO is optional. However, even if the regulations do not require the DPO to be designated, Art.29 Working Party recommends the appointment of a DPO even for entities that are not obliged to do so. Data protection officers can significantly facilitate compliance with GDPR and play an important role in the mediation between interested parties (eg data protection authority, data subjects and within organization).