Following our Frequently Asked Questions document about the appointment of Data Protection Officers (DPOs) as per the EU GDPR and popular analysis blogs; here we are with a practical Decision Tree which adds some visual dimension to the discussion. Note that we expressly excluded the obligation for public authorities in this chart and only focused on the applicability of the relevant provisions for private sector organizations.

Let's continue our analysis on the GDPR's provisions on appointment of Data Protection Officers (DPOs). We will look at the possible contract types for a DPO, the reporting line and positioning within an organization, the duties of the hiring organization and secrecy/confidentiality principles a DPO must be bound with while performing the job.

Previously we have provided an FAQ document on the mandatory appointment of Data Protection Officers (DPOs) which comes as a new obligation to certain private sector companies. In this blog, we would like to go a little bit into the detail and share thoughts. For any comments or feedback, please feel free to write us at .

The new EU Data Protection Regulation now requires that certain private sector organizations must appoint Data Protection Officers (DPOs). This requirement applies to all types of organizations irrespective of their size and whether they are processing personal data in the capacity of a Controller or a Processor. ​​Is your European business in the scope? Can you appoint an existing employee as a DPO? ​What are the qualities you should seek for? Whom should your DPO report to? Take a look at our FAQ paper which addresses major questions raised by businesses.