According to Article 37 of the GDPR, the designation of a data protection officer (DPO) is mandatory for controllers and processors in three cases1:
When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
When the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The GDPR does not define what constitutes “regular and systematic monitoring” or “large scale”, but the Article 29 Working Party (now replaced by the European Data Protection Board) has provided some guidance on these concepts2. According to the guidance, “regular and systematic monitoring” includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but also offline activities such as CCTV or health data monitoring. The guidance also suggests some criteria to assess whether the processing is carried out on a large scale, such as the number of data subjects concerned, the volume of data or the range of data items processed, the duration or permanence of the processing activity, and the geographical extent of the processing.
In the given scenario, option D is the only one that clearly falls under the second case of mandatory DPO designation, as it implies that the controller or processor is engaged in regular and systematic monitoring of data subjects on a large scale as part of their core activities. This could include, for example, online behavioural advertising, location tracking, loyalty programs, or health data analytics. The other options are not sufficient to trigger the obligation to appoint a DPO, unless they are combined with other factors that indicate a large scale or a high risk of the processing. For instance, option A is not relevant, as the GDPR does not set a threshold based on the size or number of employees of the organisation. Option B is also not decisive, as the GDPR does not distinguish between for-profit or non-profit purposes of the processing. Option C may require a DPO if the processing of financial information or information relating to children is done on a large scale and involves special categories of data, but it is not a general rule. References:
1: Article 37 of the GDPR
2: Guidelines on Data Protection Officers (‘DPOs’)
3: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
4: https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf
5: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
6: [https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf]
7: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
[Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/accountability-and-governance/data-protection-officers/, ]
