Rules for Appointing Personal Data Protection Officer Article 5 outlines the scenarios in which appointing a Data Protection Officer (DPO) becomes mandatory for Controllers. It defines what counts as “large-scale” processing, what qualifies as “regular and systematic monitoring,” and distinguishes between core vs non-core activities. If any of the defined triggers apply—such as handling sensitive data, monitoring individuals, or processing at scale—a DPO must be designated.
Appoint a DPO if you’re a public entity processing large amounts of personal data, if your core business depends on personal or sensitive data processing, or if you routinely monitor people using technology.
Rules for Appointing Personal Data Protection Officer Article 5 (First)
When DPO Is Required
Controller shall appoint one or more individuals to be responsible for protection of Personal Data in any of the following cases:
1- Controller is a Public Entity that provides services involving Processing of Personal Data on a large scale.
2- Controller core activities are based on processing operations that, by their nature, require regular and systematic monitoring of Data Subjects.
3- Core activities of Controller are based on processing of sensitive Personal Data.
Rules for Appointing Personal Data Protection Officer Article 5 (Second)
Defining Large-Scale
The determination of whether the processing is on a large scale is based on the following criteria:
1- Number of data subjects.
2- Volume of personal data.
3- Type of personal data.
4- Geographical scope of processing.
5- Different categories of data subjects.
Rules for Appointing Personal Data Protection Officer Article 5 (Third)
Monitoring Criteria
The term “regular and systematic monitoring of Data Subjects” refers to:
1- Collection of personal data through tracking or other technologies.
2- Monitoring is considered regular if it is continuous, occurs at specific intervals, or takes place periodically.
3- Monitoring is considered systematic if it is conducted through technological systems, follows a specific methodology, or is implemented as part of a comprehensive strategy or general plan for collecting personal data.
Rules for Appointing Personal Data Protection Officer Article 5 (Fourth)
Monitoring Examples
The following activities are examples of regular and systematic monitoring:
1- Collecting personal health and fitness data through wearable devices.
2- Using behavioral analytics technologies for risk assessment purposes.
3- Location tracking, the use of cookies, and surveillance cameras.
Rules for Appointing Personal Data Protection Officer Article 5 (Fifth)
What Are Core Activities
Activities are considered core if the Controller cannot provide products or services without processing personal data. Examples of core activities include:
1- Insurance companies processing health data to provide health insurance to customers.
2- Finance companies processing credit data to offer products or services related to financing.
3- Marketing companies processing personal data for marketing purposes. Activities that support the Controller’s core business, such as processing employee data by the human resources department within the entity, do not constitute core activities.
Explanation of Rules for Appointing Personal Data Protection Officer Article 5
Mandatory appointment scenarios:
Rules for Appointing Personal Data Protection Officer Article 5 (First) says that a DPO must be appointed if the Controller is a public entity processing at scale, conducts systematic monitoring, or its core services depend on sensitive data processing.
How to judge scale:
Rules for Appointing Personal Data Protection Officer Article 5 (Second) says that processing is considered large-scale based on factors like the number of individuals, data volume, types of data, geographic spread, and number of data subject categories.
Regular and systematic explained:
Rules for Appointing Personal Data Protection Officer Article 5 (Third) says that monitoring is considered “regular” if it’s ongoing or scheduled, and “systematic” if it’s methodical, uses tech systems, or follows strategic collection plans.
Practical examples:
Rules for Appointing Personal Data Protection Officer Article 5 (Fourth) includes tracking via wearables, behavioral analytics, location tracking, cookies, and surveillance systems.
Core vs support functions:
Rules for Appointing Personal Data Protection Officer Article 5 (Fifth) says that activities are “core” if services can’t be delivered without processing personal data (e.g., insurance underwriting, credit profiling, targeted marketing). HR data processing is not.
