Q: Does my company/organisation need to have a Data Protection Officer (DPO)?
A: Your company/organisation needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
Public administrations always have an obligation to appoint a DPO (except for courts acting in their judicial capacity).
The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.
A DPO is mandatory for example when your company/organisation is:
a hospital processing large sets of sensitive data
a security company responsible for monitoring shopping centres and public spaces
a small head-hunting company that profiles individuals
DPO not mandatory
A DPO isn’t mandatory if:
Article 29 Working Party Guidelines on the Data Protection Officers, 5 April 2017 (WP 243)
Articles 37 to 39 and Recital (97) of the GDPR
The above FAQ was included on the European Commission’s website, which can be located here: