The Data Protection Officer: Necessity or Superfluous


The European Union Genera Data Protection Regulation (GDPR) came into force in May 2018, and since then, it has caused significant changes to businesses operating in or outside the EU that process the data of EU citizens. Those that find themselves falling foul of the law can expect hefty penalties by the end of the year, following a few months’ grace period from authorities.


Under the provisions of the GDPR, businesses or entities that control or process personal data under specific circumstances are required to appoint a data protection officer. According to Article 37 of the GDPR, it is a legal obligation to appoint a DPO under the following circumstances:

  1. The processing is carried out by a public authority or body (except for courts acting in their judicial authority); or
  2. The “core activities” of an entity involve “regular and systematic monitoring of data subjects on a large scale”; or
  3. The “core activities” of an entity involve “large scale” processing of “special categories of data”.


Article 37(2) of the GDPR also states that a “group of undertakings” (such as a parent company and its subsidiaries) is allowed to appoint just one DPO as long as they are easily accessible from all of the undertakings’ European locations.


The requirement for a DPO was one of the hotly contested areas of the data protection reforms and there were many concerns around the role’s importance, how much work would be undertaken, and the criteria for determining who does, and who does not require such an individual.


The main undertakings of a DPO include the supervision of an entity’s compliance with GDPR as well as overseeing all staff members that deal with or interact with personal data. The DPO is also responsible for anything relating to data protection within the business, as stated in Article 38(1) of the legislation:

“...ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.


It is important that such an individual must be independent, directly reporting to the executive management of the controller or the processor. Such requirements are also included in Article 38(3);

“'the controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”


Finally, as Working Party 29 (now European Data Protection Board) denotes, the DPO needs to have the following as minimum requirements:

  • Level of expertise
  • Professional qualities
  • Ability to fulfil task


To find out more about the GDPR, DPOs and how this could affect your business operation, please contact a team member at BDO Malta who will be happy to guide you through the laws that apply to you.

Subscribe to receive the latest BDO News and Insights

Please fill out the following form to access the download.