Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 2.2 DPO of the processor
Article 37 applies to both controllers and processors with respect to the designation of a DPO. Depending on who fulfils the criteria on mandatory designation, in some cases only the controller or only the processor, in other cases both the controller and its processorare required to appoint a DPO (who should then cooperate with each other).
It is important to highlight that even if the controller fulfils the criteria for mandatory designation its processor is not necessarily required to appoint a DPO. This may, however, be a good practice.
A small family business activein the distribution of household appliancesin a single town uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertisingand marketing. The activities of the family business and its customers do not generate processing of data on a ‘largescale’, considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like thissmall enterprise, taken together, are carrying out large-scaleprocessing. The processor must therefore designate a DPO under Article 37(1)(b). At the same time, the family business itself is not under an obligation to designate a DPO.
A medium-size tile manufacturing company subcontracts its occupational health services to an external processor, which has a large number of similar clients. The processor shall designate a DPO under Article 37(1)(c) provided that the processing is on a large scale. However, themanufacturer is not necessarily under an obligation to designate a DPO.
The DPO designated by a processor also oversees activities carried out by the processor organisation when acting as a data controller in its own right (e.g. HR, IT, logistics).
You may also like
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3 Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2 Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1 Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …