Appoint a Data Protection Officer (DPO)

Your company/organisation needs to appoint a DPO, if its core activities involve the use of sensitive data, or systematic monitoring, on a large scale. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

Public administrations always have an obligation to appoint a DPO (except for courts acting in their judicial capacity).

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.

Examples

DPO mandatory
A DPO is mandatory for example when your company/organisation is:

    a hospital processing large sets of sensitive data;
    a security company responsible for monitoring shopping centres and public spaces;
    a small head-hunting company that profiles individuals.

DPO not mandatory
A DPO isn’t mandatory if:

    you’re a local community doctor and you process personal data of your patients
    you have a small law firm and you process personal data of your clients