Is your company required to have a Data Protection Officer?
4 min to read

Is your company required to have a Data Protection Officer?

11 February 2016

Is your company required to have a Data Protection Officer? According to the future General Data Protection Regulation – possibly! It all depends on a specific evaluation of the data your company is processing and to which extent.

Data Protection Officers are a new idea and a consequence of the implementation of the new regulation. The most obvious question is: What is a data protection officer?
What is a Data Protection Officer (DPO)? A DPO is an employee that is responsible for the personal data, and could also be an external consultant, who must have specific professional competences (expert knowledge) regarding the processing of personal data and who must supervise that the company actually implements and complies with the regulation. The DPO must particularly be consulted before systems, that perform automated processing of personal data, are designed, put out to tender, developed or configured to secure that the company complies with the principals of privacy by design and privacy by default.

Is your company required to have a DPO?

Firstly, all public authorities are required to have a DPO (except from the courts). For private companies, a DPO is mandatory in two instances. The first instance is if the core activity of your company is processing of personal data. Not all processing of data is included, but processing of personal data that according to its nature, use or purpose requires regular and systematic surveillance of individuals on a large scale is included. It is still unclear what this implies, but, roughly speaking, it probably means that if the company’s processing of personal data is extensive and significant in quantity or quality, the company is required to appoint a DPO.

Furthermore, your company is required to appoint a DPO, if the core activity of the company is processing of sensitive information on a large scale or information regarding criminal records. Sensitive data is information regarding race, ethnic origin, political views, religious or philosophical persuasions, trade union membership, sexuality and genetic and biometric data.

What is the role of a DPO?

It is important that the DPO is sufficiently independent of the company. In practice, this requirement complicates the appointment. For instance, it will as a rule not be possible to appoint the purchasing manager as the DPO, because of the danger that resources allocated to handling the job as the DPO will be given low priority compared to the purchasing function.

It is also questionable, if appointing the external lawyer of the company is adequate because there is a certain degree of financial connection – and thereby convergence of interests – between the parties and also because the DPO is under obligation to report directly to the supervisory authorities which could collide with the lawyer-client confidentiality.

Special protection

Nothing hinders the DPO from being employed by the company as long as he is offered a special protection against dismissal and sanctioning pursuant to his position as the DPO. But as mentioned above, it must be carefully considered which position the DPO holds as it may easily lead to conflicts of interest. It will also be possible for companies to appoint an external DPO either alone or together with other companies as long as the DPO is readily available for all of the companies.

Position in the company

Due to his position, the DPO is subject to duty of confidentiality and must report directly to the top management of the company. He is also the contact between the company and the data protection supervisory authority as well as for customers, business partners and employees whose data is being processed by the company. He is also responsible for supervising compliance with the company policies on personal data privacy and that the employees in question are receiving appropriate instructions in this connection.


According to the regulation, a DPO must have ‘expert knowledge’ regarding the processing of personal data and related practice. What ‘expert knowledge’ specifically implies and the further education of the DPO will be discussed in the next blog entry.

How to get started right away

It may seem that the requirements of the General Data Protection Regulation are far into the future. But if you have a look at all the requirements of the companies and public authorities, it is a good idea to get started right away.

Of course, it may be difficult to estimate, if your company is obligated to appoint a DPO. But already at this point, your company can benefit from a thorough review of the company’s procedures regarding the processing of personal data and the employees that will handle the issues regarding the processing of personal data, including whether a DPO must be appointed. It will give you a good starting point for complying with the future requirements regarding the processing of personal data.

Written by
Martin von Haller
Martin von Haller
Martin is recognised for his solid legal skills and as an innovative thought leader and strategist within the IT industry. He is a partner in Bird & Bird's International Tech and Comms Group and is based in Denmark. Martin is one of Denmark’s leading IT lawyers with almost 20 years’ experience of advising Danish and international organisations, including large blue chip companies on legal and commercial matters in connection with IT in a wide sense. He is considered a pioneer with respect to legal aspects of Online Technology Solutions (Ecommerce, internet and web services), Cyber and IT security, open source and open data and use of other open licence forms such as Creative Commons.
Related articles
PODCAST - Demystifying Intellectual Property and NFTs (Non Fungible Tokens)
1 min to read
11 June 2021
PODCAST – Demystifying Intellectual Property and NFTs (Non Fungible Tokens)
2021 has been the year Non Fungible Tokens (NFTs) have entered the public conscious, with the mainstream media highlighting a range of high profile NFTs being purchased for substantial sums. Rebecca...
Digital Compass: EU outlines its digital ambitions for 2030
1 min to read
18 May 2021
Digital Compass: EU outlines its digital ambitions for 2030
The Commission recently presented a vision for Europe’s digital transformation by 2030 which revolves around four main pillars: skills, government, infrastructure and business. These four areas are part...
Recent initiatives impacting the digital sector
Recent initiatives impacting the digital sector
Recent months have seen a veritable flurry of legislative, regulatory and soft law initiatives and proposals. The measures often tackle similar sectors – all things digital often being in the eye of the...
The EU considers allowing collective bargaining for gig workers
4 min to read
09 March 2021
The EU considers allowing collective bargaining for gig workers
Over the past years, the EU institutions have shown quite some attention to the position of workers in the so-called gig or peer economy, despite the limited legislative authority of the EU in the area...
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.