GDPR Article 37 — Designation of the data protection officer
Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
DPO mandatory for: public authorities, organizations doing large-scale systematic monitoring, and those processing large-scale sensitive data. DPO must be independent.
The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; (b) the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities consist of processing on a large scale of special categories of data.