Edit the existing ACS Path logo image so that it fits cleanly into a square 1:1 aspect ratio canvas, keeping the full logo content centered without distortion, on a fully transparent background suitable for use on dark or light site headers.

ACSPath

We support companies in implementing GDPR compliance,
managing data protection risks,
and building robust governance frameworks
aligned with EU regulations.

To appoint or not to appoint a DPO? — that’s the question*

Clean, modern corporate-style photo related to GDPR and data protection: a diverse small team in a glass-walled office reviewing data privacy reports and a dashboard with padlock and shield icons, cool neutral tones with dark blue accents, minimal and uncluttered composition, consistent with existing site imagery.

From the perspective of compliance with Regulation (EU) 2016/679, the appointment of a DPO is not a general option, but a legal obligation in certain clearly defined situations and a good practice recommendation in others.

When is DPO mandatory?

According to the provisions of art. 37 para. (1) of the Regulation, the controller or the empowered person must appoint a DPO in three cases:

  1. Public authorities or bodies
     – automatic obligation (except for courts in jurisdictional activity).
  2. Regular and systematic monitoring on a large scale
     – e.g.: online tracking, customer scoring, telematics/GPS, behavioral profiling.
  3. Large-scale processing of special categories of data
     – e.g. health, biometric data, criminal conviction data, etc.

The notions of “large-scale”, “systematic monitoring” or “main activity” are not mathematically defined in the GDPR, but are developed in the guidelines of the European Data Protection Board (formerly WP29). They indicate the cumulative assessment of criteria such as: number of data subjects, data volume, duration of processing and geographical area.

The European Commission stresses, in its official documents for the implementation of the GDPR, that the appointment of a DPO is recommended whenever:

  • the processing involves high risks to the rights of individuals;
  • there are complex or recurring processing processes;
  • the organization wants to demonstrate accountability [Art. 5 para. (2) GDPR].

In other words, even in the absence of a strict legal obligation, the appointment of a DPO may be necessary in practice to ensure compliance and reduce operational and, especially, reputational risks.

Practice and interpretation

There is not, at the moment, a CJEU jurisprudence extended exclusively to the obligation to appoint the DPO. However, national courts and authorities constantly apply the general principles of the GDPR, in particular:

  • risk-based approach;
  • the principle of accountability.

Indirectly relevant is the CJEU jurisprudence on the broad interpretation of the notions in the GDPR, where the Court showed that the analysis must be done concretely, depending on the impact on the data subjects, not formally.

In practice, supervisory authorities sanction not only the lack of DPO where it is mandatory, but also:

  • formal designations, without real independence;
  • conflicts of interest (e.g.: DPO who is also an IT or HR director).

When you “need” a DPO, even if it is not mandatory

From the perspective of the DPO, there are frequent situations in which, although the conditions of Article 37 are not strictly met, the designation is practically necessary, for example:

  • companies with intense marketing activity and large customer bases;
  • organizations that use monitoring technologies (GPS, CCTV, analytics);
  • groups of companies with complex data flows;
  • entities that handle sensitive data on a constant basis (even if not ‘large-scale’ in the strict sense).

Conclusion

The appointment of a DPO must be analyzed not only formally, in relation to art. 37 GDPR, but also functionally, depending on the real risks of the processing.

Thus, in essence, the appointment of a DPO:

  • is mandatory in the cases expressly provided for by the GDPR;
  • is recommended in any situation with high risk or high complexity;
  • becomes, in practice, an essential tool for compliance and demonstrating the responsibility of the operator.

A prudent approach is to assess the need for the DPO internally through a documented analysis and, in case of doubt, to opt for designation, given the relatively low cost compared to the risks of non-compliance.

*This material is informative and reflects a general interpretation of the aspects analyzed, without constituting legal advice applicable to specific situations. For specific assessments or adapted solutions, we invite you to contact us by filling out the available form, by accessing the button below.

Contact

Leave a Reply

Discover more from ACSPath

Subscribe now to keep reading and get access to the full archive.

Continue reading