[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_y5wzmBiS8eNVHrH4uRSvmYmbOghglJwYO_3Dic99yE":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":7,"lang":12,"url":13,"intro":14,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":55,"imageThumbUrls":56,"id":64},true,"## When is it compulsory to appoint a Data Protection Officer (DPO)?\r\n\r\nArticle 37.1 of the GDPR (General Data Protection Regulation) **requires the appointment of a DPO** in 3 situations:\r\n\r\n- When the processing is carried out by a **public authority or public body**.\r\n- Where the **core activities** of the controller or processor consist of processing operations which require **regular and systematic large-scale monitoring of data subjects**.\r\n- Where the **core activities** of the controller or processor consist of the **large-scale processing** of special categories of data or of personal data relating to criminal convictions and offences.\r\n\r\nThe **G29**, succeeded by the **European Data Protection Board** (EDPB), provides **guidance** on the **criteria and terminology**, which will be discussed in turn:\r\n\r\n- Public authority or public body\r\n- Basic activity\r\n- Large-scale\r\n- Regular and systematic monitoring\r\n- Special categories of data and data relating to criminal convictions and offences\r\n\r\n---\r\n\r\n### Public authority or public body\r\n\r\n---\r\n\r\n**Public authorities** and **public bodies** include **national, regional and local authorities**, but, under the applicable national legislation, this concept also generally includes a series of **other bodies governed by public law**.\r\n\r\nThese concepts are therefore defined **on a case-by-case basis by national law**.\r\n\r\n**European law also provides guidance**, in particular:\r\n\r\n- [Directive 2003/98/EC on the re-use of public sector information](https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32003L0098)\r\n- [Directive 2004/18/EC on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32004L0018)\r\n\r\n> Directive 2003/98/EC indicates that **public sector bodies** include :\r\n>\r\n> the **State**, **local and regional authorities**, **bodies governed by public law**, and associations formed by one or more of these authorities or one or more of these **bodies governed by public law**.\r\n\r\n> Directive 2004/18/EC states that a **body governed by public law** is any body:\r\n>\r\n> established for the specific purpose of **satisfying needs in the general interest which are not of an industrial or commercial character**; and has legal personality whose activity is :\r\n>\r\n> - **financed** **majority by the state, local authorities or other bodies governed by public law**, or its **management is subject to control by these bodies**, or **the administrative, management or supervisory body is made up of members more than half of whom are appointed by the State, local authorities or other bodies governed by public law**...\r\n\r\nBodies governed by private law with a **public service remit** do not meet this criterion. **Nevertheless, the appointment of a Data Protection Officer is strongly recommended for these bodies**.\r\n\r\n---\r\n\r\n### Basic activities\r\n\r\n---\r\n\r\n**Core activities** can be considered as the **essential operations necessary to achieve the objectives of the controller or processor**.\r\n\r\n> For example, the core activity of a **hospital** is to provide **health care**.\r\n>\r\n> However, a hospital cannot provide healthcare safely and effectively without **processing health data**, such as patients' medical records.\r\n>\r\n> Therefore, the **processing of such data must be considered one of the core activities of any hospital, and hospitals must therefore appoint a DPO**.\r\n\r\nOn the other hand, **all organisations carry out certain activities, such as remunerating** their employees or providing **standard IT support**.\r\n\r\nThese activities are examples of **support functions necessary to the core or principal activity of the organisation**.\r\n\r\nAlthough these activities are necessary or essential, they are generally considered to be **auxiliary functions rather than the core business**.\r\n\r\n---\r\n\r\n### On a large scale\r\n\r\n---\r\n\r\nThe main guidance currently available comes from the **Data Protection Authorities**.\r\n\r\n> In the **Czech Republic**, the **Data Protection Authority** has commented on large-scale data processing in its **Guide on Pre-Shipment Risk Assessments**.\r\n>\r\n> As is the case in a larger number of countries, the **Czech Data Protection Authority** has set a **threshold for the number of data subjects beyond which data processing is considered to be large-scale**, in this case:\r\n> ****10,000 data subjects**.\r\n>\r\n> However, data processing with :\r\n>\r\n> - **more than 20 processing branches**, or\r\n> - **or** by **more than 20 employees**.\r\n>\r\n> Also considered to be **large-scale**.\r\n>\r\n> Finally, organisations will need to take account of the fact that data processing is carried out :\r\n>\r\n> - at **regional** level\r\n> - or at **international** level, the latter being **more likely to be considered as large-scale processing**.\r\n\r\n> The **UK Information Commissioner's Office** **has not quantified large-scale processing**.\r\n>\r\n> Instead, the ICO explains in its guidance that large scale includes:\r\n>\r\n> - the **duration**, **or permanence**, of the data processing activity, the **number or proportion of data subjects**, the **volume of data and/or the range of different data elements processed**, and the **geographical extent of the processing activity**.\r\n>\r\n> It then provides some examples, including:\r\n>\r\n> the **processing of data by a hospital**, the **tracking of people using a town's public transport system**, and the **processing of customer data by banks, insurance companies and telephone and Internet service providers**.\r\n\r\nIn any event, the G29, now the EDPD, **recommends that the following factors be taken into account** to determine whether processing is carried out on a large scale:\r\n\r\n- the **number of data subjects**, either in absolute terms or in relation to the population concerned;\r\n- the **volume of data and/or the spectrum of data processed**;\r\n- the **duration, or permanence, of the data processing activities**;\r\n- the **geographical extent of the processing activity**.\r\n\r\n> Here are some examples of large-scale data processing:\r\n>\r\n> the **processing of patient data by a hospital in the normal course of its business**;\r\n>\r\n> - **processing of travel data of passengers using an urban public transport system** .\r\n>\r\n> On the other hand, the following are not large-scale processing operations:\r\n>\r\n> - the processing, by a **doctor practising on an individual basis, of data relating to his patients**;\r\n> - he processing, by a **lawyer practising on an individual basis, of data relating to criminal convictions and offences**\r\n> - the processing of **criminal convictions and offences by a sole practitioner**.\r\n\r\n---\r\n\r\n### Regular and systematic monitoring\r\n\r\n---\r\n\r\nThe notion of **regular and systematic monitoring of data subjects** is not defined in the GDPR.\r\n\r\nHowever, the notion of \"**monitoring the behaviour of data subjects**\" is mentioned in Recital 24 of the GDPR.\r\n\r\nThis notion clearly includes **all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising**.\r\n\r\nHowever, the **notion of tracking is not limited to the online environment**:\r\n\r\n- online tracking should only be considered as an **example of tracking the behaviour of data subjects**.\r\n\r\nThe former **G29**, now **EDPB**, has clarified certain concepts, in particular \"**regular**\" and \"**systematic**\":\r\n\r\nWith regard to the term \"**regular**\" it is understood as:\r\n\r\n- continuous\\*\\* or **occurring at regular intervals over a given period** ;\r\n- recurring\\*\\* or **repeating at fixed times** ;\r\n- occurring on a **constant or periodic basis**.\r\n\r\nWith respect to the term **systematic**\", one or more of the following meanings apply:\r\n\r\n- occurring **in accordance with a system**;\r\n- pre-established\\*\\*, **organised** or **methodical**;\r\n- taking place as part of a **general data collection programme**;\r\n- carried out as part of a **strategy**.\r\n\r\n> Here are some examples of activities constituting **regular and systematic monitoring of data subjects**:\r\n>\r\n> - the operation of a telecommunications network;\r\n> - The provision of telecommunications services;\r\n> - retargeting by electronic mail;\r\n> - data-driven marketing activities...\r\n\r\n---\r\n\r\n### Special categories of data and data relating to criminal convictions and offences\r\n\r\n---\r\n\r\nAlthough this provision uses the word \"and\", there is **no reason in principle why the two criteria should be applied simultaneously**. The text should therefore be read as meaning \"or\".\r\n\r\nIn any event, **designation is mandatory as soon as the large-scale collection concerns** :\r\n\r\n- Data revealing **racial or ethnic origin** ;\r\n- Data revealing **political opinions** ;\r\n- Data revealing **religious or philosophical beliefs**;\r\n- Data revealing **trade union membership**;\r\n- **Genetic** data ;\r\n- **Biometric** data;\r\n- **Health** data;\r\n- Data concerning **sexual life or sexual orientation**.\r\n\r\n---\r\n\r\n### Case study\r\n\r\n---\r\n\r\n| Entity | Activity | Mandatory appointment of a DPO? |\r\n| --- | --- | --- |\r\n| Association | Association offering sporting activities in its village | No |\r\n| Private company | Company processing real-time geolocation data of customers of an international fast-food chain for statistical purposes by a subcontractor specialising in the provision of these services. | Yes, the entity processes large-scale data as part of its core business. |\r\n| Town Hall | A local authority with a population of around one hundred carries out standard data processing for a local authority. | Yes, it is a public body. |\r\n| Public limited company | Provision of telecommunications services. | Yes, the entity regularly and systematically monitors the people concerned. |\r\n","\u003Ch2 id=\"when-is-it-compulsory-to-appoint-a-data-protection-officer-dpo\">When is it compulsory to appoint a Data Protection Officer (DPO)?\u003C/h2>\r\n\u003Cp>Article 37.1 of the GDPR (General Data Protection Regulation) \u003Cstrong>requires the appointment of a DPO\u003C/strong> in 3 situations:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>When the processing is carried out by a \u003Cstrong>public authority or public body\u003C/strong>.\u003C/li>\r\n\u003Cli>Where the \u003Cstrong>core activities\u003C/strong> of the controller or processor consist of processing operations which require \u003Cstrong>regular and systematic large-scale monitoring of data subjects\u003C/strong>.\u003C/li>\r\n\u003Cli>Where the \u003Cstrong>core activities\u003C/strong> of the controller or processor consist of the \u003Cstrong>large-scale processing\u003C/strong> of special categories of data or of personal data relating to criminal convictions and offences.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The \u003Cstrong>G29\u003C/strong>, succeeded by the \u003Cstrong>European Data Protection Board\u003C/strong> (EDPB), provides \u003Cstrong>guidance\u003C/strong> on the \u003Cstrong>criteria and terminology\u003C/strong>, which will be discussed in turn:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Public authority or public body\u003C/li>\r\n\u003Cli>Basic activity\u003C/li>\r\n\u003Cli>Large-scale\u003C/li>\r\n\u003Cli>Regular and systematic monitoring\u003C/li>\r\n\u003Cli>Special categories of data and data relating to criminal convictions and offences\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch3 id=\"public-authority-or-public-body\">Public authority or public body\u003C/h3>\r\n\u003Chr />\r\n\u003Cp>\u003Cstrong>Public authorities\u003C/strong> and \u003Cstrong>public bodies\u003C/strong> include \u003Cstrong>national, regional and local authorities\u003C/strong>, but, under the applicable national legislation, this concept also generally includes a series of \u003Cstrong>other bodies governed by public law\u003C/strong>.\u003C/p>\r\n\u003Cp>These concepts are therefore defined \u003Cstrong>on a case-by-case basis by national law\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cstrong>European law also provides guidance\u003C/strong>, in particular:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Ca href=\"https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32003L0098\" rel=\"nofollow\">Directive 2003/98/EC on the re-use of public sector information\u003C/a>\u003C/li>\r\n\u003Cli>\u003Ca href=\"https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32004L0018\" rel=\"nofollow\">Directive 2004/18/EC on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts\u003C/a>\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>Directive 2003/98/EC indicates that \u003Cstrong>public sector bodies\u003C/strong> include :\u003C/p>\r\n\u003Cp>the \u003Cstrong>State\u003C/strong>, \u003Cstrong>local and regional authorities\u003C/strong>, \u003Cstrong>bodies governed by public law\u003C/strong>, and associations formed by one or more of these authorities or one or more of these \u003Cstrong>bodies governed by public law\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cblockquote>\r\n\u003Cp>Directive 2004/18/EC states that a \u003Cstrong>body governed by public law\u003C/strong> is any body:\u003C/p>\r\n\u003Cp>established for the specific purpose of \u003Cstrong>satisfying needs in the general interest which are not of an industrial or commercial character\u003C/strong>; and has legal personality whose activity is :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>financed\u003C/strong> \u003Cstrong>majority by the state, local authorities or other bodies governed by public law\u003C/strong>, or its \u003Cstrong>management is subject to control by these bodies\u003C/strong>, or \u003Cstrong>the administrative, management or supervisory body is made up of members more than half of whom are appointed by the State, local authorities or other bodies governed by public law\u003C/strong>...\u003C/li>\r\n\u003C/ul>\r\n\u003C/blockquote>\r\n\u003Cp>Bodies governed by private law with a \u003Cstrong>public service remit\u003C/strong> do not meet this criterion. \u003Cstrong>Nevertheless, the appointment of a Data Protection Officer is strongly recommended for these bodies\u003C/strong>.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"basic-activities\">Basic activities\u003C/h3>\r\n\u003Chr />\r\n\u003Cp>\u003Cstrong>Core activities\u003C/strong> can be considered as the \u003Cstrong>essential operations necessary to achieve the objectives of the controller or processor\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>For example, the core activity of a \u003Cstrong>hospital\u003C/strong> is to provide \u003Cstrong>health care\u003C/strong>.\u003C/p>\r\n\u003Cp>However, a hospital cannot provide healthcare safely and effectively without \u003Cstrong>processing health data\u003C/strong>, such as patients' medical records.\u003C/p>\r\n\u003Cp>Therefore, the \u003Cstrong>processing of such data must be considered one of the core activities of any hospital, and hospitals must therefore appoint a DPO\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>On the other hand, \u003Cstrong>all organisations carry out certain activities, such as remunerating\u003C/strong> their employees or providing \u003Cstrong>standard IT support\u003C/strong>.\u003C/p>\r\n\u003Cp>These activities are examples of \u003Cstrong>support functions necessary to the core or principal activity of the organisation\u003C/strong>.\u003C/p>\r\n\u003Cp>Although these activities are necessary or essential, they are generally considered to be \u003Cstrong>auxiliary functions rather than the core business\u003C/strong>.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"on-a-large-scale\">On a large scale\u003C/h3>\r\n\u003Chr />\r\n\u003Cp>The main guidance currently available comes from the \u003Cstrong>Data Protection Authorities\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>In the \u003Cstrong>Czech Republic\u003C/strong>, the \u003Cstrong>Data Protection Authority\u003C/strong> has commented on large-scale data processing in its \u003Cstrong>Guide on Pre-Shipment Risk Assessments\u003C/strong>.\u003C/p>\r\n\u003Cp>As is the case in a larger number of countries, the \u003Cstrong>Czech Data Protection Authority\u003C/strong> has set a \u003Cstrong>threshold for the number of data subjects beyond which data processing is considered to be large-scale\u003C/strong>, in this case:\r\n**\u003Cstrong>10,000 data subjects\u003C/strong>.\u003C/p>\r\n\u003Cp>However, data processing with :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>more than 20 processing branches\u003C/strong>, or\u003C/li>\r\n\u003Cli>\u003Cstrong>or\u003C/strong> by \u003Cstrong>more than 20 employees\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Also considered to be \u003Cstrong>large-scale\u003C/strong>.\u003C/p>\r\n\u003Cp>Finally, organisations will need to take account of the fact that data processing is carried out :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>at \u003Cstrong>regional\u003C/strong> level\u003C/li>\r\n\u003Cli>or at \u003Cstrong>international\u003C/strong> level, the latter being \u003Cstrong>more likely to be considered as large-scale processing\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003C/blockquote>\r\n\u003Cblockquote>\r\n\u003Cp>The \u003Cstrong>UK Information Commissioner's Office\u003C/strong> \u003Cstrong>has not quantified large-scale processing\u003C/strong>.\u003C/p>\r\n\u003Cp>Instead, the ICO explains in its guidance that large scale includes:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>the \u003Cstrong>duration\u003C/strong>, \u003Cstrong>or permanence\u003C/strong>, of the data processing activity, the \u003Cstrong>number or proportion of data subjects\u003C/strong>, the \u003Cstrong>volume of data and/or the range of different data elements processed\u003C/strong>, and the \u003Cstrong>geographical extent of the processing activity\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>It then provides some examples, including:\u003C/p>\r\n\u003Cp>the \u003Cstrong>processing of data by a hospital\u003C/strong>, the \u003Cstrong>tracking of people using a town's public transport system\u003C/strong>, and the \u003Cstrong>processing of customer data by banks, insurance companies and telephone and Internet service providers\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>In any event, the G29, now the EDPD, \u003Cstrong>recommends that the following factors be taken into account\u003C/strong> to determine whether processing is carried out on a large scale:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>the \u003Cstrong>number of data subjects\u003C/strong>, either in absolute terms or in relation to the population concerned;\u003C/li>\r\n\u003Cli>the \u003Cstrong>volume of data and/or the spectrum of data processed\u003C/strong>;\u003C/li>\r\n\u003Cli>the \u003Cstrong>duration, or permanence, of the data processing activities\u003C/strong>;\u003C/li>\r\n\u003Cli>the \u003Cstrong>geographical extent of the processing activity\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>Here are some examples of large-scale data processing:\u003C/p>\r\n\u003Cp>the \u003Cstrong>processing of patient data by a hospital in the normal course of its business\u003C/strong>;\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>processing of travel data of passengers using an urban public transport system\u003C/strong> .\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>On the other hand, the following are not large-scale processing operations:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>the processing, by a \u003Cstrong>doctor practising on an individual basis, of data relating to his patients\u003C/strong>;\u003C/li>\r\n\u003Cli>he processing, by a \u003Cstrong>lawyer practising on an individual basis, of data relating to criminal convictions and offences\u003C/strong>\u003C/li>\r\n\u003Cli>the processing of \u003Cstrong>criminal convictions and offences by a sole practitioner\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch3 id=\"regular-and-systematic-monitoring\">Regular and systematic monitoring\u003C/h3>\r\n\u003Chr />\r\n\u003Cp>The notion of \u003Cstrong>regular and systematic monitoring of data subjects\u003C/strong> is not defined in the GDPR.\u003C/p>\r\n\u003Cp>However, the notion of \"\u003Cstrong>monitoring the behaviour of data subjects\u003C/strong>\" is mentioned in Recital 24 of the GDPR.\u003C/p>\r\n\u003Cp>This notion clearly includes \u003Cstrong>all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising\u003C/strong>.\u003C/p>\r\n\u003Cp>However, the \u003Cstrong>notion of tracking is not limited to the online environment\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>online tracking should only be considered as an \u003Cstrong>example of tracking the behaviour of data subjects\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The former \u003Cstrong>G29\u003C/strong>, now \u003Cstrong>EDPB\u003C/strong>, has clarified certain concepts, in particular \"\u003Cstrong>regular\u003C/strong>\" and \"\u003Cstrong>systematic\u003C/strong>\":\u003C/p>\r\n\u003Cp>With regard to the term \"\u003Cstrong>regular\u003C/strong>\" it is understood as:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>continuous** or \u003Cstrong>occurring at regular intervals over a given period\u003C/strong> ;\u003C/li>\r\n\u003Cli>recurring** or \u003Cstrong>repeating at fixed times\u003C/strong> ;\u003C/li>\r\n\u003Cli>occurring on a \u003Cstrong>constant or periodic basis\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>With respect to the term \u003Cstrong>systematic\u003C/strong>\", one or more of the following meanings apply:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>occurring \u003Cstrong>in accordance with a system\u003C/strong>;\u003C/li>\r\n\u003Cli>pre-established**, \u003Cstrong>organised\u003C/strong> or \u003Cstrong>methodical\u003C/strong>;\u003C/li>\r\n\u003Cli>taking place as part of a \u003Cstrong>general data collection programme\u003C/strong>;\u003C/li>\r\n\u003Cli>carried out as part of a \u003Cstrong>strategy\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>Here are some examples of activities constituting \u003Cstrong>regular and systematic monitoring of data subjects\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>the operation of a telecommunications network;\u003C/li>\r\n\u003Cli>The provision of telecommunications services;\u003C/li>\r\n\u003Cli>retargeting by electronic mail;\u003C/li>\r\n\u003Cli>data-driven marketing activities...\u003C/li>\r\n\u003C/ul>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch3 id=\"special-categories-of-data-and-data-relating-to-criminal-convictions-and-offences\">Special categories of data and data relating to criminal convictions and offences\u003C/h3>\r\n\u003Chr />\r\n\u003Cp>Although this provision uses the word \"and\", there is \u003Cstrong>no reason in principle why the two criteria should be applied simultaneously\u003C/strong>. The text should therefore be read as meaning \"or\".\u003C/p>\r\n\u003Cp>In any event, \u003Cstrong>designation is mandatory as soon as the large-scale collection concerns\u003C/strong> :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Data revealing \u003Cstrong>racial or ethnic origin\u003C/strong> ;\u003C/li>\r\n\u003Cli>Data revealing \u003Cstrong>political opinions\u003C/strong> ;\u003C/li>\r\n\u003Cli>Data revealing \u003Cstrong>religious or philosophical beliefs\u003C/strong>;\u003C/li>\r\n\u003Cli>Data revealing \u003Cstrong>trade union membership\u003C/strong>;\u003C/li>\r\n\u003Cli>\u003Cstrong>Genetic\u003C/strong> data ;\u003C/li>\r\n\u003Cli>\u003Cstrong>Biometric\u003C/strong> data;\u003C/li>\r\n\u003Cli>\u003Cstrong>Health\u003C/strong> data;\u003C/li>\r\n\u003Cli>Data concerning \u003Cstrong>sexual life or sexual orientation\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch3 id=\"case-study\">Case study\u003C/h3>\r\n\u003Chr />\r\n\u003Ctable>\r\n\u003Cthead>\r\n\u003Ctr>\r\n\u003Cth>Entity\u003C/th>\r\n\u003Cth>Activity\u003C/th>\r\n\u003Cth>Mandatory appointment of a DPO?\u003C/th>\r\n\u003C/tr>\r\n\u003C/thead>\r\n\u003Ctbody>\r\n\u003Ctr>\r\n\u003Ctd>Association\u003C/td>\r\n\u003Ctd>Association offering sporting activities in its village\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Private company\u003C/td>\r\n\u003Ctd>Company processing real-time geolocation data of customers of an international fast-food chain for statistical purposes by a subcontractor specialising in the provision of these services.\u003C/td>\r\n\u003Ctd>Yes, the entity processes large-scale data as part of its core business.\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Town Hall\u003C/td>\r\n\u003Ctd>A local authority with a population of around one hundred carries out standard data processing for a local authority.\u003C/td>\r\n\u003Ctd>Yes, it is a public body.\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Public limited company\u003C/td>\r\n\u003Ctd>Provision of telecommunications services.\u003C/td>\r\n\u003Ctd>Yes, the entity regularly and systematically monitors the people concerned.\u003C/td>\r\n\u003C/tr>\r\n\u003C/tbody>\r\n\u003C/table>\r\n",null,1401,8,"Mandatory or optional appointment of a DPO? ",0,"en","mandatory-or-optional-appointment-of-a-dpo","Mandatory appointment of a DPO ",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":7,"blogUrl":7,"color":7,"userId":18,"creationDate":21},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-27T10:08:36.35","2023-12-27T11:08:34.5992008","2025-08-27T09:09:54.4927242",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[48,52],{"typeMetaDataId":49,"value":50,"id":51},3,"Découvrez notre solution",111688,{"typeMetaDataId":26,"value":53,"id":54},"https://www.dastra.eu/fr/contact?type=Demo",111689,"https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-1000.png",[57,58,59,60,61,62,63],"https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-1000.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-1500.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-800.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-600.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-300.webp","https://static.dastra.eu/content/15dfe0b5-b936-4c48-aad1-e3906517654b/article-jeje-100.webp",56333]