It depends on the scope and purpose of your data processing activities, whether you need a data protection officer (DPO) or not.
You must officially assign a data protection officer (Article 37-39) with your supervisory authorities,
- if your core activity is data processing activities that are by their nature, scope and/or purpose an extensive, regular and systematic monitoring of data subjects (i.e. insurance companies, professional detectives, tracking of people while travelling ...) or
- if your core activity is the extensive processing of sensitive data (i.e. hospitals or medical instutions) or data on criminal convictions or offenses.
However, a single physician does not need a DPO as the data processing is not in an extensive way.
The Article 29 Group is defining "Core activities", "regular" as well as "systematic" so it can be used for general interpretation:
"Core activity" can be considered as the key operations to achieve the controller’s or processor’s objectives.
"regular" is interpreted as one or more of the following:
- ongoing or occurring at particular intervals for a particular period
- recurring or repeated at fixed times
- constantly or periodically taking place
"systematic" is interpreted as one or more of the following:
- occurring according to a system
- pre-arranged, organised or methodical
- taking place as part of a general plan for data collection
- carried out as part of a strategy
Tasks of Data Protection Officer
A data protection officer (DPO) has to to fulfill the following tasks:
- Informing and advising the controller and the employees on their obligations for GDPR.
- Monitor and review data protection compliance and privacy policies, including the setup of responsibilities, awareness and training of staff.
- If applicable, consultation in the context of the DPIA and monitoring of its implementation.
- Contact for and cooperation with the supervisory authority.