The appointment of a DPO is mandatory in the following three cases:
- the organisation is a public authority;
- the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
- the organisation’s core activities consist in large-scale processing of sensitive data or personal data relating to criminal convictions and offences.
You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.
More information: