A recap on the rules relating to the appointment of a Data Protection Officer (DPO)

A look at main tasks as well as some best practices for the DPO function

In times when processing personal data is part of many business processes, the presence of a data protection officer or SPOC brings value to a company and its workforce, customers as well as other business partners.

This will be increasingly so when organisations, whether in the private, public or non-profit sector, are designing and rolling out their post-COVID-19 confinement exit strategy to gradually go back to “business as usual” possibly envisaging the use of health passports, temperature checks or contact-tracing applications.

That is why we seize the opportunity to recap on the rules relating to the appointment of a DPO, its main tasks as well as some best practices for the DPO function. Our DPO tool helps you assess whether you need to appoint a data protection officer (DPO) in just a few clicks.

Try our free DPO tool today

When must a Data Protection Officer be appointed (GDPR)?

Mandatory

Under Article 37, GDPR states that a DPO must be appointed by a controller or a processor in the following 3 situations:

(a) - the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) - the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) - the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Note that, under local law, more specific or additional requirements may exist regarding the appointment of a DPO (e.g. in Germany). It can be that, even though having a DPO is not mandatory under the GDPR, local law still imposes the appointment of a DPO.

Voluntary

If an organisation does not fall within one of the 3 situations (mentioned in the ‘Mandatory’ section), it is still recommended by the former Article 29 Working Party^[1] to appoint a DPO voluntarily, given the importance of such a role in complying with the GDPR and other applicable local instruments (legislation, court/supervisory authority's decisions, decrees, etc.).

_{[1] The Article 29 Working Party was the independent European working party that dealt with issues relating to the protection of privacy and personal data (i.e. issuing guidance, opinions, working documents, letters etc.) until 25 May 2018 (entry into application of the GDPR). On 25 May 2018, the European Data Protection Board (EDPB) succeeded the Article 29 Working Party and endorsed/confirmed the work/guidance issued by the Article 29 Working Party related to Data Protection Officers.}

Mandatory notification

The appointment of a DPO must be notified to the competent supervisory authority (data protection authority).

Document your decision making in light of your accountability

In any case, the decision to appoint a DPO or not is best documented in accordance with the accountability principle (Article 5(2) of the GDPR). Where a DPO is designated on a voluntary basis, or a person is given the title of DPO, the tasks and (independence) requirements for the DPO as well as the obligations of the controller/processor towards the DPO will be the same as if the DPO designation was mandatory.

Many organisations that are not required to have a DPO therefore chose to appoint a privacy officer rather than designate a DPO on a voluntary basis, in order to have a SPOC relating to privacy and data protection within the organisation, without needing to comply with all DPO-related obligations.

Main tasks of the DPO

The tasks/missions of the DPO are listed in Article 39 of the GDPR and can be summarized as follows:

collect information to identify processing activities (i.e. support with the register of processing activities, etc.);
analyse and verify compliance of processing activities with GDPR. It needs to be stressed that the DPO is not in charge of the compliance, which is the responsibility of the business;
inform, advise or address recommendations to the data controller or processor (i.e. advise on whether or not to carry out a data protection impact assessment, etc.).

Independence of the DPO

The DPO shall be and remain independent in the course of the performance of his/her tasks. This means that:

the DPO may never receive any instructions on how to perform his/her DPO tasks;
the DPO cannot be penalised or removed on account of the performance of his/her tasks;
conflict of interests must be avoided between the function of DPO and other functions that the DPO may perform. As a general guidance, it is best to avoid appointing decision makers (CXOs). Even when appointing someone in lower levels of the business, the organisation must remain vigilant for possible conflicts. (E.g. a person responsible for a certain business process or product will not be able to act as the DPO for such process or product).

Best practices

Below we also summarise some possible practical steps towards compliance based on official guidelines or best practices on the market:

Best practices

Internal or external
A group DPO or a separate DPO per group entity
Availability
Safeguard the DPO’s independence
Make sure that the DPO function is effective
Accountability is key
Provide sufficient resources

Internal or external

A DPO can be internal or external. For (larger) organisations where personal data is key to the business and which are more heavily impacted by GDPR, it could be more useful to have an internal and/or full-time DPO supported by external counsel.

For other organisations, an external and/or part-time DPO could be sufficient.

A group DPO or a separate DPO per group entity

The GDPR provides the possibility for a group DPO instead of having a separate DPO per group entity, although this may come with practical challenges in terms of availability, local language requirements, etc.

Needless to say, we can help to set up a feasible and practical approach in a group context.

Availability

In terms of availability, take into account the following:

Establish dedicated contact points for the DPO (e.g. postal address, telephone number and/or e-mail address, and a contact form on the website dedicated to the DPO), allowing people to reach the DPO directly (for both internal and external contacts).
Test the effectiveness of accessibility through the implementation of e.g. a “mock” data subject request or data breach (e.g. ensure timely follow-up of the data breach within 72 hours after becoming aware of the incident, and ensure involvement of senior management).
Inform staff of the existence and function of the DPO.

Safeguard the DPO’s independence

Avoid appointing executives or other persons of (senior) management as DPO to avoid the risk of self-review. One cannot take a data processing decision and subsequently monitor the GDPR compliance of such decision as DPO.
Do not give instructions/guidance on how the DPO should interpret the data protection laws/the courts’ or supervisory authorities’ decisions.

Make sure that the DPO function is effective

Include the DPO in RACI matrices or process diagrams for business processes to ensure that the DPO is actively informed/consulted for business processes or new measures including data processing activities.
Invite the DPO (regularly) to management & innovation/digital meetings as well as crisis management meetings (e.g. in light of COVID-19). Draw up the internal structure and governance of the DPO/DPO Office (and, where applicable, the Data Protection Liaisons) and their respective tasks and responsibilities.
Create an intranet page or other awareness forum dedicated to all matters relating to data protection.

Accountability is key

Accountability is key, especially in decision-making processes relating to data processing activities:

Formalise all advice given by the DPO.
Formalise the decisions made by management following such advice (or not), with the relevant motivation.

Provide sufficient resources

Ensure that the DPO has access to knowledge, regular training and the necessary resources to perform his/her duties;
Agree on a concrete allocation of time and resources for the DPO function, especially where the DPO is only appointed on a part-time basis or where the DPO is appointed externally. Set clear thresholds or triggers for the DPO to escalate to management in order to obtain additional resources (e.g. in the event of a breach or a complex data subject access request).
Preselect external providers to provide additional expertise or assistance when needed (e.g. legal expertise; “red teams”; cybersecurity assistance).

If, as a DPO or a member of management, you have questions or doubts in this respect, for example following new data processing activities in light of COVID-19 exit strategies, do reach out. We are here to help.

Do you need a Data Protection Officer (DPO)?

Take our online test and find out in a few clicks

Contact us

About us Careers News Our offices Services

© 2020 - 2025 PwC. PwC Legal. All rights reserved. PwC Legal is a separate and independent law firm that entered into a multidisciplinary cost sharing arrangement with PricewaterhouseCoopers Business Advisory Services BCVBA (PwC Business Advisory Services) which on its turn is a member of the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Neither PwC Business Advisory Services, nor PwCIL nor any of its member firms controls, acts as an agent of, or assumes liability for the acts or omissions of PwC Legal. Similarly, PwC Legal does not control, act as an agent of, or assumes liability for the acts or omissions of PwC Business Advisory Services, PwCIL or any other member firm.