Last review date: January 2025

Yes

Last review date: January 2025

Yes

If yes, under what circumstances?

☒   the processing is carried out by a public authority or body, except for courts acting in their judicial capacity

☒   the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

☒   the core activities of the controller or the processor consist of processing on a large scale of special categories of data

Last review date: January 2025

Yes

The DPO must have appropriate professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil their tasks pursuant to applicable data protection laws.

Last review date: January 2025

No

We note though that the following scenarios may trigger similar requirements:

• When transferring personal data to a third country or an international organization, the following may be used as safeguards for such data transfers only if they are approved by a data protection supervisory authority in the EU:
  • binding corporate rules (Article 47 of the GDPR);
  • codes of conduct (Article 40 of the GDPR); and
  • certification mechanisms, where a data protection supervisory authority acts as the certification body; and (Article 42 of the GDPR).

• Where the data controller carries out a data protection impact assessment concerning a proposed data processing activity and as a result, it concludes that in the absence of risk-mitigating measures, the proposed data processing activity would result in a high risk to the data subjects’ rights and freedoms, it must consult the competent data protection supervisory authority before it begins the proposed data processing(Article 36 of the GDPR).