DPOs and DPC’s Annual Report 2024

July 2025

Being a Data Protection Officer (DPO) is no easy task, and there have been many learnings and challenges during the last seven years. The learnings apply to both the DPO and the organisations they work with to understand the role and how that role best fits within the organisation.

The opening line of the DPO section of the DPC Annual Report of 2024 sums up the importance of the DPO role: "The role played by organisational Data Protection Officers (DPOs) is critical for the successful application of data protection law". Such an important role is never going to be straightforward.

The formal designation of an organisation’s DPO needs to be notified to the DPC (via an online form on the DPC website) and updated when a DPO changes or contact details change. There are now almost 4,000 DPOs registered with the DPC.

The DPC is currently focused on supporting DPOs through events such as the DPO network conference, engagement with DPO networks, and making material available on their website. The DPC is increasing this activity throughout 2025.

When Do You Need to Appoint a DPO?

As per Article 37 of the GDPR, a DPO needs to be appointed by an organisation (this can be a controller or a processor) where the organisation falls within any of the following:

• A public authority (except for courts acting in their judicial capacity); or

• Their core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or

• The processing consists of a large amount of special category of personal data or personal data relating to criminal convictions and offences.  

If an organisation falls within any of these three categories, a DPO is a mandatory requirement. It's important to note that if an organisation decides to appoint a DPO where it's not mandatory, that DPO will fall within the designation under the GDPR and will have the obligations and rights as set out.

If an organisation wishes to appoint someone responsible for privacy but they do not have a mandatory obligation to appoint a DPO, it should consider the title and job specification of that individual. For example, the title could be Privacy Manager.

Key Takeaways

As DPOs continue to be critical for compliance with data protection law, it's important for organisations to reflect on their current obligations and any updates that may need to be made.

Further Reading

• DPC Annual Report 2024 - Data Protection Commission

• Article 37 GDPR: Designation of the DPO

• Article 38 GDPR: Position of the DPO

• Article 39 GDPR: Tasks of the DPO

• European Data Protection Board – Guidelines on DPOs: JUSTICE AND CONSUMERS ARTICLE 29 - Guidelines on Data Protection Officers ('DPOs') (wp243rev.01)

• DPC’s Guidance on Appropriate Qualifications for DPOs Guidance on Appropriate Qualifications for DPOs | Data Protection Commission

For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie