To assess the need for a DPO, the developers look at the requirements in article 37 GDPR.Since these often mention the ‘large scale’ criterion, the developers decide to first assess if the processing can be considered of large scale, adopting the Article 29 Working Party approach
|Assessment for the ’large scale’ criterion|
|Number of data sujects concerned||30 to 50 data subjects expected|
|Volume of data and/or the range of different data items being processed||Personal data (e.g., name, age, etc.) and special categories of data (palmprints) will be processed|
|Duration or permanence of the data processing activity||The developers expect the study to last a year|
|Geographical extent of the processing activity||The developers expect the study to have local extent (municipality)|
After the assessment, the developers decide the processing activity can be configured as a ‘large scale’ one. Even if quantitative criteria are not available and, therefore, the result of the assessment cannot be considered conclusive, they decide as such with a view on maintaining a more cautious approach.
After having assessed the ‘large scale’ criterion, the developers proceed to assess the need for a DPO.
|Requirements mandating a Data Protection Officer|
|“The processing is carried out by a public authority or body, except for courts acting in their judicial capacity”||✗||Does not apply|
|“The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”||✗||Does not apply (no regular nor systematic monitoring)|
|“The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9”||✓||Applies (special categories of data and ‘large scale’ processing)|
|“The core activities of the controller or the processor consist of processing on a large scale of […] personal data relating to criminal convictions and offences referred to in Article 10”||✗||Does not apply (no personal data related to criminal convictions and offences)|
|In every other case not listed by requirements 1-3, “the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer”||✗||Does not apply (no specific EU or MS law)|
Since one of the requirements applies, the developers decide to designate a DPO. The data controller (Developing Inc.) does not have an appointed DPO. Therefore, the developers proceed to hire one.
|Legal regime: special categories of personal data|
|Does the activity satisfy one of the requirements for a DPO||Yes||✓||Designation of a DPO is mandatory|
|No||Designation of a DPO is optional|