Specialists in European Privacy Recruitment

FAQS ABOUT THE APPOINTMENT OF DATA PROTECTION OFFICERS
(under the EU General Data Protection Regulation ('GDPR', 'Regulation')

​This document has been prepared by DPO Network Europe for informational purposes only. The content of this document does not constitute legal advice and should not be relied upon as such.  Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
Q1: Our company is based in the EU. Does this DPO provision apply to us?
You are required to appoint a DPO for your business if the core activities of your company consist of personal data processing which​
  • requires regular and systematic monitoring of individuals on a large scale; or
  • is about special categories of data on a large scale and data relating to criminal convictions and offences. ‘Special categories of data’ is the type of data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data or data concerning health or sex life and sexual orientation.
 
Please carefully note that even if none of the situations apply to your processing, you (or the body which is representing you, if you are not established in the EU but processing data of individuals who are in the EU) may still have to appoint a DPO if it is required by the Member State law where your processing relates to.

Check out the GDPR DPO Appointment Decision Tree!
Q2: Our company is not  based in the EU. Do we ALSO need to appoint DPOs?
Step 1: First establish whether your company is subject to the Regulation. Your non-EU based company will be subject to this Regulation if you are processing EU personal data as a consequence of:

  • Offering goods or services (whether free of charge or not) to individuals in the EU or
  • Monitoring their behaviour as far as their behaviour takes place within the EU.
 
Step 2: Once you assessed that your non-EU based company is subject to the Regulation, you must assess whether you have to appoint a DPO by applying the criteria in Question 1.  

Check out the GDPR DPO Appointment Decision Tree!
Q3: Is there any further clarity on the tasks, required profile and the position of the DPO?
​Yes. The Regulation defines the minimum tasks of a DPO. In addition, it provides for some clarity on the DPOs position within an organization, such as his/her reporting line, the manner how the job must be performed and your duties to facilitate the work.
Q4: What are the tasks of a DPO?
Your DPO will 
  • inform and advise your organization and staff who process personal data of their obligations as per the Regulation and other EU or local data protection provisions;
  • monitor compliance with the Regulation, with other EU or local data protection provisions and with the data protection policies of your organization, including the assignment of responsibilities, awareness-raising and training of your staff involved in the processing operations, and the related audits;
  • provide you advice where requested on data protection impact assessment and monitor its performance ;
  • cooperate with the supervisory authority; and act as the organization’s contact point on issues related to the processing of personal data, including the prior consultation;
  • respond to individuals whose data is processed (your employees, clients and similar) on all issues related to the processing of their data and the exercise of their rights under the Regulation.
Q5: What is the job holder profile?​​
You must designate a DPO on the basis of professional qualities and, in particular, expert* knowledge of data protection law and practices and ability to fulfil the tasks above.
​ 
* When defining the necessary level of knowledge, organizations are recommended to consider their type of data processing and the level of protection it requires.
Q6: Can we assign one of our employees as our DPO?​​​
​Yes. However, you must ensure that other professional duties of this employee must be compatible with his/her new duties as DPO and do not result in a conflict of interests.
Q7: What is the minimum period for a DPO APPOINTMENT?​​
There is no prescriptive rule on the length of this tenure.
Q8: Could we appoint a single DPO for a group of companies?
Yes. A group of sister companies may appoint a single DPO provided that the DPO is easily accessible from each establishment.
Q9: Do we need to have an 'in-house' DPO on an employment contract?
​No. You can also recruit and appoint an external DPO who will work on the basis of a service contract.
Q10: Who should our DPO report to? ​​
​Your DPO must report directly to the highest management level of your organization. (S)he must be in a position to perform tasks in an independent manner, should not receive any instructions regarding the exercise of his/her tasks nor could (s)he be dismissed or penalized for performing those tasks.
Q11: What other duties do we have as an employer?
You must
  • support your DPO by providing resources necessary to carry out his/her tasks as well as to maintain his/her expert knowledge;
  • provide access to personal data and your processing operations;
  • ensure that your DPO is properly and in a timely manner involved in all issues which relate to the protection of personal data;
  • make his/her contact details available to the supervisory authority and to the public.
Q12: Anything else we need to know?
While performing his/her tasks your DPO has to consider the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing. Your DPO will also be bound by secrecy or confidentiality concerning the performance of his or her tasks.
Q13: What if we fail to follow these provisions?​​
​The violation of the DPO related provisions of the Regulation may cause huge administrative fines (up to 10 000 000 EUR, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher).
Q14: We ARE LOOKING to recruit A DPO for OUR EUROPEAN BUSINESS.
​How do we find the right TALENT as soon as possible?
We can help! DPO Network Europe is Europe's distinctive recruitment brand in data protection & privacy. Thanks to our growing candidate network of experienced in-house and external DPOs across Europe, we are able to connect you to the right talent wherever your vacancy is based.
Learn how we assist businesses with:
                - in-house DPO recruitment
                - external (contract) DPO recruitment         
THE GDPR
​DIGITAL VERSION
GDPR ​DPO APPOINTMENT
DECISION TREE
NEED A CONTRACT
​DPO IN EUROPE?
NEED AN IN-HOUSE
​DPO IN EUROPE?
NEED EU REPRESENTATIVE?
​THE PRIVACY
​RECRUITER'S BLOG
GOT A QUESTION ABOUT FINDING DPOS IN EUROPE?
OR DO YOU HAVE A DPO VACANCY TO FILL RIGHT NOW?​​