The General Data Protection Regulation (GDPR) provides that companies are obliged to appoint a Data Protection Officer (DPO) if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. This requirement can be particularly applicable for online gaming companies, e-commerce, telecommunications companies and the information society.
Article 37(1) of the GDPR requires the designation of a DPO in three (3) specific cases:
Local legislation may also add to these instances.
Companies involved in electronic communications, electronic commerce, online gaming, as well as credit and financial institutions should analyse whether they fall under the requirement to appoint a DPO. Article 37(1)(b) requires two (2) elements to kick in:
Large Scale Processing of Personal Data
The GDPR does not define what constitutes “large scale”; however in its latest Guidance on DPOs, WP29 recommended that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
Examples of large-scale processing according to WP29 would include:
Regular and Systematic Monitoring
The Guidance then amplifies on this point by interpreting both the term “regular” and “systematic”.
WP29 interprets “regular” as meaning one or more of the following:
The term “systematic” on the other hand is interpreted as one or more of the following:
Potentially affected companies should thus plan ahead and have the required meetings with their respective Data Protection Authority. This is very important as if applicable, there is a whole process which both the Company concerned and its DPO need to comply with at inception, as well as on a continuous basis. This is also very important as the obligation to appoint a DPO may apply even when the Company is acting as a processor for a controller and not solely as controller of the data.
For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.