AI Summary of Article 37 Designation of the data protection officer
The designation of a Data Protection Officer (DPO) is crucial under specific conditions, including when processing is conducted by public authorities, or entails regular and systematic monitoring of individuals on a large scale. Additionally, large-scale processing of special categories of data or criminal conviction data necessitates a DPO's appointment.
Organisations may appoint a single DPO across multiple authorities, ensuring accessibility while publishing the DPO’s contact details to the supervisory authority is mandatory. The DPO must possess professional expertise in data protection law and can be engaged as a staff member or through a service contract.
Article 37 Designation of the data protection officer
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.