DPOs play a crucial role when designing and implementing data-processing activities in a GDPR-compliant manner. They are another safeguard that the GDPR mandates on certain occasions and, in general, it is recommended to appoint such a figure. The Article 29 Working Party considered that this “is a cornerstone of accountability and that appointing a DPO can facilitate compliance”.
Article 37(1) of the GDPR outlines when controllers and processors should appoint a DPO. In the case of geospatial devices and systems, the appointment of a DPO will most likely be necessary, as most of them process personal data in such a way that may require a regular monitoring of data subjects at a large scale, or may be carried out by public authorities.
It would be useful if each Member States’ regulations on the need for DPOs expanded the list of activities that demand the appointment of a DPO or, at least, provided clear examples that could help to interpret which data-processing activities carried out by controllers and processors demand such an appointment.
If a DPO has to be appointed, for any of the reasons mentioned above, it is necessary to have their participation from the outset of the project, such as the drafting of a DPIA (required by Article 39(1)(c)) as well as any other issue related to data protection within the entity (as prescribed by Article 39(1)(a)). This may include reviewing a potential processor, as described in the previous item.
The controllers checked if the institution has already appointed a DPO.
If not, they checked with the legal department if the intended data-processing activities trigger the appointment of a DPO, either by looking at European authoritative interpretations, local regulations, local authoritative interpretations, and relevant national and European case law.
The controllers required the appointment of a DPO if necessary, and its involvement in the tool development process as necessary.
As a general rule, the DPO should be aware of every step taken to allow room for their intervention if deemed relevant.
1Article 29 Working Party (2017) Guidelines on Data Protection Officers (‘DPOs’), p.4. European Commission, Brussels. ↑
2Article 37. Designation of the data protection officer. 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. ↑