A DPO must be appointed:
- Where the processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of special category data or data relating to criminal convictions or offences.
Organisations that are not obliged to appoint a DPO can nevertheless do so if they wish. The role has the same legal status whether the appointment is voluntary or mandatory. See Articles 37, 38 and 39.