Misunderstanding 4: Data Protection Officer (DPO)

March 22, 2018

The Data Protection Officer (DPO) is often mentioned in the same breath when talking about the General Data Protection Regulation (GDPR). The GDPR stipulates that the appointment of a DPO is compulsory in some cases, but it is a misunderstanding that a DPO is compulsory for all companies. It is also not true that a DPO is only mandatory for large organisations. In this blog you will find out everything about the DPO.

What is a DPO?

A Data Protection Officer (DPO) is an independent data protection expert appointed within an organisation (or a number of organisations) to advise, inform and supervise compliance with the GDPR. Thus, the DPO is also an aspect of accountability that was mentioned in the last blog post.

A DPO may be a member of staff or an external expert who carries out the work on the basis of a service contract. The GDPR also stipulates that a group of organisations may appoint a single DPO, provided that the DPO can work together with the various branches in a practical manner. The same applies to public authorities and governmental bodies: several such authorities or bodies may jointly appoint one DPO, provided that their size permits that. The person who will take on the role of DPO must have professional qualities and expertise in the field of data protection and must be well able to perform the tasks of the DPO.

Tasks of the DPO

These tasks are: informing and advising the organisation and the employees about the GDPR, monitoring compliance with the GDPR, assisting with PIAs and acting as point of contact for the respective national Data Protection Authority.

In order to be able to perform these tasks properly, the GDPR stipulates that the DPO must have access to all the information he or she needs for this purpose. The DPO may not be dismissed or punished for carrying out his or her duties. In addition, the DPO reports directly to the organisation's senior management.

DPO ≠ Privacy Officer

Another misunderstanding: a DPO is often confused with a privacy officer. However, these are two different functions. A privacy officer is usually an employee of the legal or compliance department who has the task of leading projects and ensuring that 'privacy is properly ensured'. The exact content of this function will vary from one organisation to another. However, the DPO has (as described above) legal tasks and a special position, the main task of which is to monitor compliance with the GDPR. The DPO will therefore counsel and supervise the work of the privacy officer. It is even preferable that both a DPO as well as a privacy officer are appointed in a large organization. This prevents the DPO from both external reporting and internal controlling, i.e. inspecting his or her own work.

In which cases is a DPO mandatory?

The appointment of a DPO is mandatory for the following organisations:

  1. For a public authority or governmental body;
  2. For organisations which mainly carry out processing operations with the regular and systematic large-scale observation of data subjects;
  3. For organisations whose main activity is the large-scale processing of special categories of personal data or criminal data.

Main activities

In the second and third bullet point, we see the word 'mainly'. The term 'mainly' refers to all processing operations that are related to the 'main activities' of the organisation. What are the main activities? These activities are the activities necessary to achieve the main objective of the organisation concerned. For example, the main purpose of a hospital is to provide healthcare, not to process personal data. However, the processing of patients' personal data and information about their health is inextricably linked to the provision of healthcare; there is an urgent need to provide safe and efficient care.

Such closely related activities should be distinguished from secondary support activities. For example: the hospital's HR department will also process some special categories of personal data during application procedures or when employees report sick. These activities are subordinate to the main activities and are not inseparable from the hospital's main purpose.


When assessing whether or not a processing operation is 'large-scale', we must take into account the amount of personal data processed, at what level (regional, national or supranational), and the number of data subjects.

As indicated above, the processing of special categories of personal data (information on patient health) falls within the main activities of a hospital. We can also conclude that this happens on a large scale at a hospital. It is therefore compulsory for a hospital to appoint a DPO (see point 3). Become a DPO? Or would you like to know more about the DPO in practice? Keep an eye on the blog page. A fact sheet with do's & don'ts and tips & tricks for the collaboration with DPOs will soon be published!