Appointing a DPO – more than just a formality?

In practice, we see that some companies appoint a DPO without being required to do so, while other companies are unaware of their obligation to appoint a DPO.

What is (and does) a DPO?

A DPO is an independent expert who advises on and monitors compliance with data protection, or ‘privacy’, within a company.

The DPO keeps legally required documents up-to-date, assists the company in case of a data breach, and answers questions from individuals about the processing of their personal data.

Additionally, the DPO is involved in new projects or activities within the company to ensure that there are no breaches in data protection.

Finally, the DPO is the point of contact for all privacy-related questions, both internally and externally (for employees, customers, suppliers, and the Data Protection Authority).

Which companies and organizations must appoint a DPO?

There is often a lot of uncertainty about this in practice. It is a misconception that only the size or activity of the company plays a role in assessing whether it is required to appoint a DPO.

A DPO is mandatory in three cases:

• Public authority or body. In this case, the appointment of a DPO is mandatory, regardless of the type of data processed. Public service providers, as well as organizations that collaborate with the government and process personal data, are also subject to this obligation.
• Companies that systematically and on a large scale process personal data such as that of customers or employees. Examples of such organizations are marketing agencies, HR service providers, some IT companies. An analysis of the scope and frequency of the processing will need to be carried out to determine whether an appointment is necessary in the specific case.
• Companies that process « special » categories of personal data such as health data or criminal data. Classic examples are hospitals or law firms.

Voluntary appointment of a DPO is possible

Even if your company is not legally required to appoint a DPO, this can also be done voluntarily.

The appointment of a DPO offers several advantages:

• Strengthening customer trust. Companies that value privacy protection create a more positive image with customers and suppliers.
• More efficient data processing and processes. A central point of contact within the company often ensures that privacy is handled more efficiently, and therefore also more cost-effectively.

An internal or external DPO?

The DPO can be either an employee or a third party (for example, a lawyer) who performs their function based on a service agreement. For many companies, appointing an external DPO will be a more financially attractive option – there is no need to hire an additional employee. Often, a part-time assignment can also be sufficient to meet the obligations under the GDPR.

Are you unsure today whether you need to appoint a DPO?

We would be happy to discuss with you whether the appointment of a DPO is mandatory and/or useful. Our firm has several experts who can act as external and independent DPOs within your company.

For further questions regarding data protection, you can contact our PKF BOFIDI Legal team. We are happy to assist you.

This article was written by Lauranne Piotrowski.