When you must appoint a personal data protection officer:
If you are a public authority, with the exception if you are a court and act within your jurisdiction.
All private companies with public powers or companies that perform activities of public interest should also be considered public bodies .
If your primary activity consists of operations for the processing of personal data which, due to their nature, scope and/or purpose, require regular and systematic monitoring of the subjects of the personal data on a large scale .
The primary activity is considered to be the key operations that are needed to achieve the objectives of the controller, while the primary activity does not have to be only that which refers to the processing of personal data, but also other activities that result in the processing of personal data.
Example: the primary activity of the hospital is to provide health care, but this is not possible without processing health data for patients, the so-called health card.
Regular and systematic tracking of personal data subjects includes all forms of online tracking and profiling, taking into account the fact that the term tracking is not limited to the online environment.
Example: provision of services in the field of electronic communications, profiling, location tracking via mobile applications, monitoring of fitness and health data via mobile applications, etc.
To determine whether it is large scale processing, you should consider the following factors:
- the number of personal data subjects, as an absolute number or as part of the relevant population;
- the amount of personal data being processed and/or the coverage of different parts of the personal data;
- the duration, or permanence, of the processing of personal data;
- the geographical distribution of the processing of personal data.
If you process special categories of personal data or personal data related to criminal convictions and criminal offences.
The obligation to appoint a personal data protection officer applies to both controllers and processors .
You must make a decision for a personal data protection officer and notify us.