Is it mandatory to have a Data Protection Officer?

The GDPR incorporates new commitments in terms of privacy and data protection. The Data Protection Officer (DPO) is a figure that was introduced as mandatory by General Data Protection Regulation in order to internally monitor the compliance with the obligations that GDPR establishes in each organization.

When is it mandatory to have a Data Protection Officer?

Articles 37 and 39 of the GDPR include the following cases to determine the obligation to appoint a DPO:

  • the processing is carried out by a public authority or body,
  • the core activities and operations of the controller require regular and systematic monitoring of data subjects on a large scale,
  • the core activities and operations of the controller consist of processing on a large scale of personal data relating to criminal convictions and offences.

According to the GDPR these organizations have to appoint a DPO:

  • Public administrations,
  • Organizations that carry out processing on a large scale or particularly intensive processing, either due to the nature of their data processing or due to the nature of the personal data processed.

According to the Project of new Spanish Organic Law on the Protection of Personal Data (LOPD), these are the organizations that are obliged to appoint a DPO:

  • Professional associations and their general councils
  • Educational institutions
  • Organizations that operate networks and provide electronic communication services
  • Providers of information society services
  • Credit institutions
  • Credit financial institutions
  • Insurance and reinsurance companies
  • Investment service companies
  • Distributors and marketers of electric power and natural gas
  • Organizations responsible for common files for the assessment of financial solvency and creditworthiness or for the common files for the management and prevention of fraud
  • Organizations that develop advertising and commercial research activities
  • Health centers
  • Organizations that have commercial reports about people and companies as one of their objects
  • Operators that develop the gambling activity
  • Those that perform the private security activities
  • Those companies that are not included in this list can voluntarily appoint a data protection officer.

The Data Protection Officer who can be part of your company or outsourced service must have legal knowledge that will serve as the basis of data processing and the correct development of their professional skills that are detailed below.

Functions of Data Protection Officer

The functions of the DPO are specified in the Article 39 of the GDPR:

  • inform the controller or the processor and the employees who carry out processing of their obligations
  • monitor the correct compliance with the regulation and the work derived from it, such as the assignment of responsibilities or the training of staff
  • provide advice on the data protection impact assessment and ensure the application is in accordance with the European regulation and national law
  • cooperate with the supervisory authority on the community and national level that is responsible for ensuring the application of the regulation and
  • act a point of contact.

Do you want to know more? Feel free to contact us by clicking here!

Share this article


Article written by

A. P.

This is an example of a biography, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars