The appointment of a DPO is one of the best steps that can be taken by the controller to properly implement measures that ensure compliance with the rights of the data subjects. Appointing a DPO is not a necessary consequence of operating with AI tools. It is undeniable, however, that appointing a DPO is only compulsory if conditions settled by Article 37(1) (b) or (c) apply. Therefore, it is not the case that all AI developers should appoint a DPO. However, it is always recommendable to proceed to do so, at least in terms of transparency (see the “Transparency”section in the “Principles” chapter).

In any case, the data responsible should elaborate this by outlining the role of the DPO in relation to the overall management of the project, ensuring that the role of the DPO is not marginal, but cemented into the decision making processes of the organization/project. They should make clear what that role could be in terms of oversight, decision-making and similar.