Does my company need a data protection officer or DPO?

Whether you should hire a DPO depends on a few factors.

There are three types of companies that are required to hire a DPO:

1. All public sector organizations (except courts), such as government organizations

2. Companies that require the data processing “regular and systematic observation,” for example because of their “nature, scope or purposes” of the processing;

3. Companies that process “special category” personal data, such as information about race, political opinions, religion, biometrics, health, sexual orientation or criminal convictions.

What is the role of the recognized DPO in the GDPR?

A recognized DPO takes care of all your personal data.

The controller and the processor designate a data protection officer in each case where:
1. The processing is carried out by a public authority or body, except in the case of courts acting in their judicial capacity;

2. A controller or processor is primarily responsible for processing operations which, by their nature, size and/or purposes, require regular and systematic large-scale observation of data subjects;

3. The controller or processor is primarily responsible for large-scale processing of special categories of data under Article 9 and of personal data related to criminal convictions and offenses referred to in Article 10.

4. A group may appoint one data protection officer or DPO, provided that the accredited DPO can be easily contacted from each location.

5. Where the controller or processor is a public authority or body, one data protection officer may be appointed for several such authorities or bodies, taking into account their organizational structure and size.

6. In other cases, or where required by Union or Member State law, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. The accredited DPO may act for such associations and other bodies representing categories of controllers or processors.

7. The DPO shall be designated on the basis of his professional qualities and in particular his expertise in data protection law and practice and his ability to perform the duties referred to in Article 39.

8. The DPO may be a staff member of the controller or processor or may perform the duties under a service agreement.

9. The controller or processor shall publish the contact details of the DPO and communicate them to the supervisory authority.

Book an appointment

Where can I find a DPO?

The DPO does not necessarily have to become a permanent employee; you can also opt for a consultant. In addition, an existing employee can also take on the role of DPO, as long as his other duties do not conflict with his job as DPO. Both options can reduce costs and make finding a suitable DPO a lot easier.

In addition, the GDPR does not describe which specifications apply to a DPO. No mention is made of a specific diploma or certificate; instead, he must have “expertise in data protection law and practice.” With this broad description, the way is open for existing employees, such as legal consultants or privacy officers, to take up the task of DPO.

In other words, if your organization processes data on a large scale, it is likely that you will need to look for a DPO.

Book an appointment

Guido Gezellelaan 113/1
B-3550 Heusden-Zolder


Email Us:


+32 479 298900

Ready to join now?


Feel free to contact for any questions or any help or services! We believe in power of simple and easy communication.