Article 37 of the General Data Protection Regulation (GDPR) requires companies to appoint a Data Protection Officer (DPO in English or DPD in French) when :
- the processing is carried out by a public authority or public body, with the exception of the courts; or
- the company’s core business consists of operations, which due to their nature, scope or purpose, require the regular and systematic monitoring of data on a large scale; or
- the company’s core business consists of the large-scale processing of sensitive data or data relating to convictions or offences.
Nevertheless, many companies decide to designate a DPO, although they do not fall within any of the mandatory designations mentioned above.
Debora Cohen has published an article on this function, of a company’s DPO, in issue n°78 of the law issue of NTIC, IT, trademarks, patents, GDPR of the Journal du Management juridique du Village de la Justice, in French.