Which institutions/enterprises must appoint a personal data protection officer?
Main activity
The concept of primary operations implies that the processing of personal data must be one of the key elements of the controllers or processors' operations. The concept also includes when the processing of personal data is an integral part of the operation.
However, most institutions and/or companies have various support activities, for example in connection with pay or operating computer systems. Such support activities are not considered as the main activities of an organisation, although these activities are certainly necessary and unavoidable for daily activities and often involve the processing of personal data.
For example, the processing of health information, which is considered sensitive personal information, is part of the main function of hospitals and therefore such institutions must appoint a personal data protection officer.
Example
A small family business sells household appliances in a small town and uses the services of a processor. The main activity of the processor is to provide services for analysis on the website of the family business and help in finding target groups for advertising.
The family business does not involve extensive processing of personal data on customers, given the small number of customers and the company's very limited operations.
On the other hand, the processing of personal data by processors, which has many customers like this small company, is considered to be extensive.
The processor must therefore appoint a personal data protection officer. However, the small family business is not obliged to appoint a personal data protection officer.
