A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its: purposes, interconnections, types, categories of data subjects, length of retention and the department(s) in charge of implementing processing. DPOs may be required by law or recommended.
The GDPR requires that data controllers and data processors designate a DPO in any case where:
A DPO is not mandatory for every organization but is highly recommended. Under the Spanish Data Protection and Digital Rights Act, DPOs are specifically required for certain companies and organizations, including: professional associations, educational institutions, electronic communication service providers, credit institutions, insurance companies, investment service businesses, online gaming companies, health sector businesses, and companies that conduct profiling for marketing purposes.