The DPO in your organisation

Pursuant to article 37 of the GDPR, appointing a DPO is mandatory for:

  • Government bodies and public organisations. This is always mandatory for these organisations, regardless of the type of data they process. It may concern the central government, municipalities and provinces, but also, for example, healthcare and educational institutions. The mandatory appointment of a DPO does not apply for courts.
  • Organisations that from their core activities track individuals or map their activities on a large scale. This may concern, for example, profiling of people for making risk assessments, camera surveillance, staff tracking systems and monitoring someone's health via wearables. Relevant in this respect are, among other things, the number of people tracked by an organisation, the quantity of data processed by this organisation, and how long the organisation tracks people.
  • Organisations that process special personal data on a large scale and for which this is a core activity. Special personal data are, for example, data about someone's health, race/ethnicity, political opinion or religious conviction.
  • Organisations that process criminal personal data.
    In addition, EU member states may designate other situations in which having a DPO is mandatory. It is as yet unknown if this will happen in the Netherlands.


Is it unclear whether you, as an organisation, are obliged to appoint a DPO? Then you must be able to substantiate properly why you have chosen to do or not to do this.
 

On this page

A joint DPO

It is possible to appoint one DPO for multiple organisations or organisational units. For example for:

  •  a group of organisations;
  • multiple business units within a group of companies;
  • multiple administrative bodies within a municipality, water board or province. 
     

The condition for a joint DPO is that this person can be reached properly from every organisation or every organisational unit. And actually is able to perform the statutory tasks of a DPO in practice.
In this situation, you have to pay extra attention to ensuring that the contact details of the DPO are widely available. Data subjects and supervisors must be able to communicate easily and directly with the DPO.


If you want to appoint a joint DPO, you submit one registration to the Dutch DPA. You do not have to fill in multiple registration forms for every organisation or every organisational unit for which you want to register a DPO.
It must be clear, though, for which organisations or organisational units you register the DPO. You can indicate this in the explanation field of the registration form.


DPO must be able to work properly and independently

Article 38 of the GDPR stipulates that a DPO needs sufficient resources for carrying out tasks. The DPO must have access to the personal data and the processing operations of the data in the organisation. In addition, the DPO must be able to maintain their own knowledge level.
In concrete terms, the DPO needs, among other things, the following for carrying out the position:

  •  active support from the management;
  • sufficient time for carrying out the tasks;
  •  sufficient practical support (budget, facilities and staff);
  •  clear communication to all members of staff about the appointment of the DPO; 
  • schooling.
    In addition, the GDPR contains various safeguards that help DPOs do their job independently.
  •  You are not allowed to give the DPO instructions on how to carry out the DPO tasks.
  • You are not allowed to dismiss the DPO or impose a sanction on the DPO as a result of the performance of DPO tasks.
  • There must be no conflict of interest between DPO tasks and any other tasks or positions of the DPO. This means that the DPO within your organisation cannot have another position in which this person determines the purpose and the means of a data processing operation. Which is the case with a management position as head of finance, strategy, marketing, IT, HRM or as ‘chief information security officer’ (CISO).
  • The DPO must have access to the members of the top management (the controller within the meaning of the law), without intervention from others in your organisation, to be able to provide advice.


Reachability of the DPO

It must be easy for people to contact the DPO without any intermediary. Your website is an easy tool for this, but other ways are allowed too. You are not obliged to state the name of the DPO. A telephone number or an email address at which the DPO can be reached is enough.


No obligation, but nevertheless a DPO


As an organisation, you can also appoint a DPO if you are not obliged to do this. It may even be very useful to employ or hire someone who specialises in the protection of personal data. Voluntarily appointing a DPO is especially recommendable if you are a company with government tasks, such as a public transport company, energy company or housing cooperative.
As soon as you refer to this employee as a 'data protection officer', the same rules apply for this non-mandatory DPO as for the mandatory DPO. Including where it concerns the professionalism and the range of tasks of the DPO (see Articles 37, 38 and 39 of the GDPR). You must register a voluntarily appointed DPO with the Dutch DPA as well.


Note: It may cause confusion when a voluntarily appointed employee refers to themselves as DPO, while you have no intention of imposing the same requirements on this employee. In that case, referring to this person as ‘privacy officer’, for example, is preferable.


Are you not obliged to appoint a DPO? But do you want advice on data protection? Instead of appointing a DPO, you can then also employ an employee or hire a consultant who engages in the protection of personal data.


Do the job title, position and range of tasks of this person differ from those of a DPO? Then the statutory rules for the DPO do not apply. In that case it is important, though, that you make it clear - both within and outside your organisation - that this person is not a DPO within the meaning of the law.


In the GDPR you will find more information in Articles 37, 38, 39.