The Data Protection Officer is a relatively new idea in Europe. Many believe only large companies need to appoint one, which is false. It is not so much the size of a company that determines this obligation, but the core activities. As such, even if a company is small with only 5-10 employees, but their core activities consist of processing personal data on a large scale, or large of large scale, regular and systematic monitoring of individuals they still need a DPO. On the other hand, it is true that companies with more than 250 employees will need to hire a DPO regardless of their core activities.

The Data Protection Officer can be someone from the organization, or the company can choose to appoint an external DPO. If choosing the internal DPO option, it should be ensured that there is no conflict of interest between the DPO duties and the ones from the person’s original position.

A DPO cannot be dismissed for performing his/her duties. However, despite appointing a DPO, companies are still responsible with compliance, the DPO cannot be fined if he/she gave the correct advice, but measures were not taken by the organization. Its tasks are to work towards compliance by monitoring specific processes, increasing employee awareness for data protection and collaborating with supervisory authorities.


Articles: 35,37,38,39

Recitals: 91,97