MBF Knowledge Base
MBF · MBF Knowledge Base Home · EU General Data Protection Regulation Data Protection Officers

EU General Data Protection Regulation Data Protection Officers

All information here was borrowed from the GDPR website https://eugdpr.org

The designation of a Data Protection Officer (DPO), covered in article 35, has somewhat similar views coming from both the Commission and Parliament. They agree that a DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects. They also agree that companies passing certain thresholds should be mandated to appoint a DPO, yet they differ on the exact metric. Finally, Parliament adds that a DPO should be mandatory for all enterprises that process 'Special categories' of data, including information such as health data or religious and political beliefs. The Commission text requires any enterprise over 250 employees, while the Parliament text calls for those processing the personal data of over 5000 data subjects in any 12 month period. The Council does not mandate the appointment of a DPO unless it is required by EU or member state law. Its members themselves had varying views during the debate prior to the release of the general approach, so it will be interesting to see how vigorously the Council fights for this relaxation of DPO appointments against both other authorities who seem to hold similar positions.