Article 37 of GDPR: Data protection officer designation
Article 37 outlines the mechanics of designating a data protection officer.
When to designate a data protection officer (Article 37(1) GDPR)
Organizations should designate a data protection officer or DPO in any of the following instances:
- Data processing is being carried out by a public authority except for the judicial courts (Article 37(1)(a) GDPR)
- When an organization will require to process data by regularly and systematically monitoring of data subjects, on a large scale, as its core activity (Article 37(1)(b) GDPR)
- When an organization will want to process special categories of data, on a large scale, and personal data relating to criminal convictions and offences, as its core activity (Article 37(1)(c) GDPR)
DPO within a group of undertakings (Article 37(2) GDPR)
A company operating as a group has the option to appoint one single data protection officer provided that its DPO be readily accessible from each of its establishments.
DPO within a public authority (Article 37(3) GDPR)
A public authority or public body has the option to appoint one single data protection officer by taking into consideration the public authority organizational structure and size.
DPO for organizations representing categories of controllers or processors (Article 37(4) GDPR)
In the event a controller, processor, association or other bodies represent categories of data controllers or data processors, they may designate a DPO to act for such association or bodies representing the data controllers or processors.
Expertise of the data protection officer (Article 37(5) GDPR)
When appointing a data protection officer, organizations should consider the person’s qualifications for the position.
Particularly, the person’s expertise and knowledge of the data protection laws along with data protection practices are important.
The DPO must be able to carry out the tasks required of him under GDPR.
Relationship of DPO to the organization (Article 37(6) GDPR)
An organization may appoint a data protection officer either as part of its own employee headcount or hire an external organization providing DPO services.
Publication of data protection officer’s contact details (Article 37(7) GDPR)
Once a DPO is appointed, the organization must public the contact details of their DPO and communicate the person’s contact information to the supervisory authority.
Recitals applicable to Article 37 of GDPR
Relevant Recitals: 97
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 37 or relevant recitals
GDPR Text: Article 37 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)