In some cases, it is mandatory to appoint a data protection officer (DPO). This is the case, for example, for a public authority or body, but also for companies that are mainly engaged in systematic observation (profiling and tracking) or large-scale processing of special personal data.
A so-called data protection impact assessment is necessary when data processing operations are carried out with a likely high risk for the rights and freedoms of individuals.
A non-exhaustive list has been drawn up by the Data Protection Authority of processing operations in which a DPIA must be conducted, including: when combatting fraud, large-scale processing of health data, (flexible) camera surveillance and monitoring of employees (e.g. GPS tracking or email and internet surveillance).
