Introduction
This checklist provides guidance to in-house counsel about when and how to appoint a data protection officer (DPO) and can be used to assist private practitioners when advising clients on these issues.
The checklist addresses the following questions:
- Is your organisation required to appoint a DPO?
- What must your organisation do when appointing a DPO?
- What tasks does the DPO have to perform?
It is approached from the point of view of the organisation, rather than the DPO. At the end of the document there are explanatory notes, and specific notes corresponding to the relevant step in the checklist.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
Step 1 – Is your organisation required to appoint a DPO?
| No. | Criteria | Yes/No | Result |
|---|---|---|---|
| 1.1 | Is your organisation a public authority or body (except for a court acting in its judicial capacity)? | Yes/No | If yes, DPO required. If no, go to 1.2 |
| 1.2 | Do your organisation’s core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale? Specifically: | ||
| 1.2.1 | Does your organisation carry out ‘monitoring’ of data subjects? | Yes/No | If yes, DPO may be required – go to 1.2.2. If no, go to 1.3 |
| 1.2.2 | Is the monitoring ‘regular’? | Yes/No | If yes, DPO may be required – go to 1.2.3. If no, go to 1.3 |
| 1.2.3 | Is the monitoring ‘systematic’? | Yes/No | If yes, DPO may be required – go to 1.2.4. If no, go to 1.3 |
| 1.2.4 | Is the monitoring on a ‘large scale’? | Yes/No | If yes, DPO may be required – go to 1.2.5. If no, go to 1.3 |
| 1.2.5 | Is monitoring a ‘core activity’ of your organisation? | Yes/No | If yes, DPO required. If no, go to 1.3 |
| 1.3 | Do your organisation’s core activities consist of large-scale processing of special categories of personal data? Specifically: | ||
| 1.3.1 | Does your organisation process special categories of personal data? | Yes/No | If yes, DPO may be required – go to 1.3.2. If no, go to 1.4 |
| 1.3.2 | Is the special category data processing on a large scale? | Yes/No | If yes, DPO may be required – go to 1.3.3. If no, go to 1.4 |
| 1.3.3 | Is the special category data processing a core activity of your organisation? | Yes/No | If yes, DPO required. If no, go to 1.4 |
| 1.4 | Do your organisation’s core activities consist of large-scale processing of criminal data? Specifically: | ||
| 1.4.1 | Does your organisation process criminal data? | Yes/No | If yes, DPO may be required – go to 1.4.2. If no, DPO not required |
| 1.4.2 | Is the criminal data processing on a large scale? | Yes/No | If yes, DPO may be required – go to 1.4.3. If no, DPO not required |
| 1.4.3 | Is the criminal processing a core activity of your organisation? | Yes/No | If yes, DPO required. If no, DPO not required |
Step 2 - What must your organisation do when appointing a DPO?
| No. | Requirement | Legally required? | Good practice |
|---|---|---|---|
| 2.1 | Decide the DPO’s remit and ensure the DPO is accessible across all supported organisations | ✔ | |
| 2.2 | Decide the basis of the DPO’s appointment (internal/external) | ✔ | |
| 2.3 | Decide how to structure the DPO function | ✔ | |
| 2.4 | Appoint the DPO under a written contract with a detailed role specification | ✔ | |
| 2.5 | Designate the DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil their prescribed tasks under article 39, EU GDPR (see step 3) | ✔ | |
| 2.6 | Ensure the DPO has proper and timely involvement in all issues related to the protection of personal data | ✔ | |
| 2.7 | Support the DPO in performing their prescribed tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge | ✔ | |
| 2.8 | Ensure the DPO is independent and does not receive any instructions regarding the exercise of their prescribed tasks | ✔ | |
| 2.9 | Not dismiss or penalise the DPO for performing their tasks | ✔ | |
| 2.10 | Ensure the DPO has a direct reporting line to the highest management level | ✔ | |
| 2.11 | Ensure data subjects may contact the DPO about all issues related to processing of their personal data and the exercise of their rights under data protection laws | ✔ | |
| 2.12 | Ensure the DPO is bound by secrecy or confidentiality concerning the performance of their tasks | ✔ | |
| 2.13 | Ensure any other tasks and duties performed by the DPO do not result in a conflict of interests | ✔ | |
| 2.14 | Ensure the details of the DPO have been published in the organisation’s privacy notice | ✔ | |
| 2.15 | Ensure the details of the DPO have been notified to the relevant supervisory authorities | ✔ |
Step 3 – What tasks does the DPO have to perform?
| No. | Requirement | Legally required? | Good practice |
| 3.1 | Inform and advise the organisation and employees who carry out processing about their obligations under data protection laws | ✔ | |
| 3.2 | Monitor compliance with data protection laws and with the organisation’s data protection policies, including:
| ✔ | |
| 3.3 | Provide advice where requested as regards data protection impact assessments (DPIAs), and monitor their performance | ✔ | |
| 3.4 | Cooperate with the relevant supervisory authorities | ✔ | |
| 3.5 | Be the contact point for the relevant supervisory authorities on issues relating to processing | ✔ | |
| 3.6 | Take a risk-based approach, having due regard to the risk associated with processing operations | ✔ | |
| 3.7 | Ensure these tasks are set out in the DPO’s job specification/employment contract/services contract | ✔ |
Explanatory notes
Legal framework
The checklist covers the requirements under:
- the EU GDPR; and
- article 29 Working Party Guidelines on Data Protection Officers (as last revised and adopted on 5 April 2017) (EDPB DPO guidelines) – the article 29 Working Party (WP29) has been replaced by the European Data Protection Board (EDPB) and, where relevant, EU member state supervisory authority interpretation of such EU GDPR requirements.
Articles 37 and 38, EU GDPR, set out the key requirements regarding the appointment of a DPO. Article 39, EU GDPR, sets out the tasks of the DPO.
Whether to have a DPO
A DPO is a data protection specialist, who has a key role in supporting an organisation in its data protection compliance. Appointment of a DPO is mandatory for some organisations and can be an important aspect of demonstrating ‘accountability’ (article 5(2), EU GDPR). Step 1 of this checklist will help you to determine whether your organisation is required to appoint a DPO.
The requirements for a DPO apply to both controller and processor organisations. However, even if the controller meets the criteria for mandatory appointment, its processor might not.
Where a statutory DPO is appointed, the GDPR requires the organisation to support the DPO in certain ways, and the DPO must perform specific minimum prescribed tasks. This may sway an organisation not to appoint a DPO unless they are legally required to do so.
However, it may in some instances be worth voluntarily appointing a DPO, particularly where the organisation is on the threshold for mandatory DPO appointment, or its plans mean that the organisation may meet those criteria in future.
Even if a DPO is not appointed, as a matter of good governance, someone in your organisation should be tasked with responsibility for privacy and data protection compliance. But you should not call someone a data protection officer or DPO unless the DPO requirements under the GDPR can be properly fulfilled.
Step 1 – Is your organisation required to appoint a DPO?
Step 1 of the checklist is a sequence of questions to help you decide if a DPO is required. Answer every question in order.
1.1 Is your organisation a public authority or body?
Public authorities and public bodies are required to appoint a DPO (article 37(1)(a), EU GDPR). The exception to this is courts acting in their judicial capacity.
1.2 Do your organisation’s core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale?
Each of the specific elements in the main question are broken down below.
‘Regular and systematic monitoring’
The EDPB DPO guidelines say that ‘monitoring’ includes all forms of online and offline tracking and profiling, including for behavioural advertising purposes.
‘Regular’ was interpreted by the then WP29 as meaning any, or a combination, of the following:
- ongoing or occurring at particular intervals for a particular period;
- recurring or repeated at fixed times; or
- constantly or periodically taking place.
This means that ad hoc or one-off monitoring activities would not be caught.
‘Systematic’ was interpreted by the former WP29 as meaning any, or a combination, of the following:
- occurring according to a system;
- prearranged, organised or methodical;
- taking place as part of a general plan for data collection; or
- carried out as part of a strategy.
In short, this means that monitoring must happen as part of an organised system or an intentional approach.
Examples from the former WP29 of activities that will amount to regular and systematic monitoring include:
- a large retail website using algorithms to monitor, continuously and according to predefined criteria, the searches and purchases of its users, and offering them recommendations based on this information;
- operating a telecommunications network or providing telecommunications services;
- data-driven marketing activities, including email retargeting and behavioural advertising;
- profiling and scoring for risk-assessment purposes (eg, for credit scoring, calculating insurance premiums, fraud prevention, detection of money laundering);
- location tracking (eg, by mobile apps);
- loyalty programmes;
- monitoring of wellness, fitness and health data via wearable devices;
- CCTV; and
- connected devices (eg, smart meters, smart cars, home automation).
‘Large-scale’
The EU GDPR does not specifically define large-scale processing (but see recital 91, EU GDPR), and there is no rule of thumb as to how many data subjects or what volumes of data, for instance, would meet this threshold.
The former WP29 recommends considering the following factors in particular in determining if processing is carried out on a large scale:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- the volume or variety of data being processed;
- the duration or permanence of the data-processing activity; and
- the geographical extent of the processing activity.
The main point is that minimal, contained or short-term processing would typically not be covered. The EDPB DPO guidelines provide examples of what does and does not constitute large-scale processing.
‘Core activity’
This refers to the primary business activities of your organisation, rather than to ancillary functions (recital 97, EU GDPR). Consider your organisation’s key objectives and the extent to which you need to process personal data to achieve these.
Processing personal data for secondary purposes (eg, for human resources reasons or IT support) that are not part of carrying out your primary objectives does not count.
Ireland’s supervisory authority, the Data Protection Commission (DPC) has published guidance covering Use of CCTV by data controllers which is relevant where your organisation is an employer needing to perform ancillary data processing activities (surveillance) in its capacity as an employer.
Note that different EU members may have lower thresholds that may apply in respect of the requirement to appoint a data protection officer if you are private organisation. For example, see Chapter 3 S38 of the German Federal Data Protection Act.
1.3 Do your organisation’s core activities consist of large-scale processing of special categories of personal data?
Each of the specific elements in the main question are broken down below.
‘Special categories of personal data’
Under article 9, EU GDPR, this means ‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
This type of more sensitive data is given certain special protections under the EU GDPR, including requiring the appointment of a DPO where the relevant criteria are met.
‘Large-scale’
If special category data is processed, this will need to happen on a large scale (and also be a core activity) to meet the threshold for mandatory appointment of a DPO. See explanatory notes about what qualifies as ‘large scale’ at 1.2 above.
‘Core activity’
You can exclude special category data relating to employees that is used for standard reasons related to their employment from this assessment. See explanatory notes about what qualifies as a ‘core activity’ at 1.2 above.
1.4 Do your organisation’s core activities consist of large-scale processing of criminal data?
‘Criminal data’
This is not defined under the EU GDPR but describes ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, EU GDPR) are mentioned.
‘Large-scale’
If criminal data is being processed, this will need to be done on a large scale (and also be a core activity) to meet the threshold for mandatory appointment of a DPO. See explanatory notes about what qualifies as ‘large scale’ at 1.2 above.
‘Core activity’
You can exclude special category data relating to employees that is used for basic employee vetting from this assessment. See explanatory notes about what qualifies as a ‘core activity’ at 1.2 above.
Step 2 – What must your organisation do when appointing a DPO?
Step 2 is a list of requirements for you to tick off when appointing a DPO.
2.1 Decide the DPO’s remit and ensure the DPO is accessible across all supported organisations
A DPO can be appointed for a single organisation or for multiple organisations within a corporate group – they need to be easily accessible from each establishment (article 37(2), EU GDPR).
If your organisation is a public authority or body, and taking account of their organisational structure and size, a DPO may be designated for several such authorities or bodies (article 37(3), EU GDPR).
2.2 Decide the basis of the DPO’s appointment (internal/external)
Both internal and external appointments are permissible, meaning that the DPO can be appointed from within the organisation or the function can be outsourced (article 37(6), EU GDPR).
2.3 Decide how to structure the DPO function
The DPO function will need to be structured to suit your organisation. The EU GDPR requires the appointment of a single DPO. However, larger or more complex organisations may have a DPO team, made up of a range of specialists with clearly defined remits, supporting the DPO.
2.4 Appoint the DPO under a written contract with a detailed role specification
The GDPR does not expressly say that the DPO must be appointed under a written contract but this is implicit in the provisions of article 37(6): ‘The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.’
Arguably, this would also be required for a controller to meet its ‘accountability’ obligations.
In any event, there are good employment law and data protection compliance reasons for formalising the appointment of an internally appointed DPO’s role in their employment contract and providing an updated job specification that outlines their tasks and responsibilities. For an external DPO, the scope of their appointment and the service that the organisation is expecting to receive would also need to be set out clearly so that the organisation can enforce its rights under the contract if there was ever a dispute.
2.5 Designate the DPO on the basis of professional qualities
The DPO needs to be designated on the basis of ‘professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in article 39’ (article 37(5), EU GDPR). This envisages that the DPO has some formal training or considerable expertise gained through experience in data protection law.
The prescribed tasks of the DPO are set out in article 39, EU GDPR and outlined in step 3.
2.6 Ensure the DPO has proper and timely involvement in all issues related to the protection of personal data
The organisation needs to ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’ (article 38(1), EU GDPR). Involving the DPO at the last minute, or without adequate information, will breach this requirement.
2.7 Support the DPO in performing their prescribed tasks
The organisation needs to support the DPO in performing the tasks prescribed in article 39 by providing necessary resources and access to personal data and processing operations, and to maintain their expert knowledge (article 38(2), EU GDPR). This includes, for example:
- where appropriate, providing the DPO with a team to support them or with access to external support (such as through a law firm);
- allowing the DPO access to personal data and processing operations, in particular giving them the information they need to properly do their job; and
- paying for professional training for the DPO and allowing them the time to undertake this.
2.8 Ensure the DPO is independent and does not receive any instructions regarding the exercise of their prescribed tasks
The DPO must not receive any instructions regarding the exercise of their prescribed tasks (article 38(3), EU GDPR). This means ensuring that the DPO has sufficient independence.
2.9 Not dismiss or penalise the DPO for performing their tasks
The DPO cannot be dismissed or penalised for performing their tasks (article 38(3), EU GDPR). However, they could be dismissed or penalised for unrelated matters, for example, disciplinary reasons. However different EU members may impose different restrictions on the termination of a DPO’s employment, eg, see restrictions in Germany see ECJ decision Case No C‑534/20 in 2022.
Further, the DPO is not personally liable for data protection compliance – this remains your organisation’s responsibility.
2.10 Ensure the DPO has a direct reporting line to the highest management level
The DPO needs a direct reporting line to the highest management level of the organisation (article 38(3), EU GDPR). You should write this into their contract and ensure that the highest management level supports this.
2.11 Ensure data subjects may contact the DPO about all issues related to processing of their personal data and the exercise of their rights under data protection laws
Data subjects may contact the DPO about all issues related to processing of their personal data and the exercise of their rights under the EU GDPR (article 38(4), EU GDPR). Individuals should be able to easily find the DPO’s details and contact them, for example, through your organisation’s website.
Different EU member states have different DPO contact information and these should be checked with each local Supervisory Authority.
2.12 Ensure the DPO is bound by secrecy or confidentiality concerning the performance of their tasks
The DPO is bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with EU, or EU member state, law as the case may be (article 38(5), EU GDPR). This is supposed to reassure data subjects that information they provide to the DPO will be handled in confidence. However, this would not prevent the DPO from disclosing otherwise confidential information to the relevant supervisory authorities if the DPO required advice, for instance.
2.13 Ensure any other tasks and duties performed by the DPO do not result in a conflict of interests
The DPO is not prevented from performing additional tasks to those in article 39, EU GDPR. However, the organisation must ensure that any other tasks and duties performed by the DPO do not conflict with their prescribed DPO tasks (article 38(6), EU GDPR).
This effectively means that the DPO cannot hold a position that involves them:
- determining the purposes and the means of the processing of personal data; or
- managing competing aims that could result in business interests overriding data protection.
According to the EDPB DPO guidelines, positions that are unlikely to be compatible with a DPO role include CEO, head of marketing, COO, CFO, head of HR or head of IT. Even a legal counsel may be incompatible in certain circumstances – see Can you appoint in-house legal counsel as a DPO? - Guidance from Germany.
2.14 Ensure the details of the DPO have been published in the organisation’s privacy notice
You must publish your DPO’s details (article 37(7), EU GDPR) so that data subjects and the relevant supervisory authority can contact them. This is typically done in your privacy notice (as articles 13 and 14, EU GDPR also require DPO details to be set out). The DPO’s name need not be included, but their contact details, such as an email address (eg, [email protected]) or a contact form, are required.
2.15 Ensure the details of the DPO have been notified to the relevant supervisory authorities
You need to communicate the DPO’s details to the relevant supervisory authority (article 37(7), EU GDPR). According to the EDPB DPO guidelines, under article 39(1)(e), EU GDPR, communication of the name of the DPO to the regulator is ‘essential in order for the DPO to serve as contact point between the organisation and the regulator’.
Step 3 – What tasks does the DPO have to perform?
Step 3 is a list of requirements that you can tick off when establishing the DPO’s remit.
3.1 Inform and advise the organisation and employees who carry out processing about their obligations under data protection laws
The DPO should be the go-to person for information and advice on data protection obligations for the organisation and any employees who handle personal data. The DPO will need to be suitably qualified to provide this advice (article 39(1)(a), EU GDPR).
3.2 Monitor compliance with data protections laws and with the organisation’s data protection policies
The DPO is tasked with monitoring the organisation’s compliance with the EU GDPR and other local data protection laws, and also with the organisation’s own data protection policies. The role includes an audit function and involves promoting data protection compliance within the organisation (article 39(1)(b), EU GDPR).
3.3 Provide advice where requested as regards data protection impact assessments (DPIAs) and monitor their performance
The DPO must oversee the carrying out of DPIAs (ie, assessments of the impact of envisaged processing operations on the protection of personal data carried out prior to processing), providing advice where needed. The DPO need not do the DPIA themselves – they will generally rely on the input of various stakeholders. However, they will be central in setting up the DPIA process, developing templates and inputting where needed (article 39(1)(c), EU GDPR).
3.4 Cooperate with the relevant supervisory authorities
The DPO must cooperate with the relevant supervisory authorities (article 39(1)(d), EU GDPR).
3.5 Be the contact point for the relevant supervisory authorities on issues relating to processing
The DPO must act as a contact point for the relevant supervisory authorities. This includes in respect of prior consultation (article 36, EU GDPR), and also consulting where appropriate with regard to any other matters (article 39(1)(e), EU GDPR).
3.6 Take a risk-based approach, having due regard to the risk associated with processing operations
The DPO shall, in performing their tasks, have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. This requires the DPO to apply risk-assessment methodologies to the specific processing activities of the organisation (article 39(2), EU GDPR).
3.7 Ensure these tasks are set out in the DPO’s job specification/employment contract/services contract
The ideal place to address the requirements under article 39, EU GDPR is in the DPO’s job specification, or employment or services contract. This will help to ensure all parties understand the DPO’s tasks and the role they perform.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.