Who can and who does not have to designate a DPO?
Art. 37 para. 1 of the General Data Protection Regulation provides for the obligation to designate a data protection officer for controllers and processors where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
In the interpretation of the notions used in Art. 37 para. 1 letters b and c of the GDPR („core activities”, „regular and systematic monitoring” and „on a large scale”) the recitals of the GDPR and Article 29 Working Party’s Guidelines on Data Protection Officers may be useful.