The controller and the processor shall designate a data protection officer in any case where:

  •  the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

X
Skip to content