The obligation and the intensity of the DPO's work vary with each sector's processing profile. The four where designation is most frequently required are presented below.
Public Sector & Local Authorities
For public authorities and bodies the designation of a DPO is mandatory, and Portuguese law requires at least one DPO per ministry or governmental area, per regional secretariat and per municipality. The volume and sensitivity of citizen data make this the densest theatre of obligation.
Law 58/2019, Art. 12
Health & Clinics
The large-scale processing of health data — a special category under Article 9 — typically triggers the mandatory designation of a DPO and the performance of impact assessments, with heightened security and confidentiality duties.
GDPR, Arts. 9, 35; Law 58/2019, Art. 13
Technology & SaaS
Platforms whose core activity involves the regular and systematic monitoring of users on a large scale fall within the mandatory designation, often acting as processors and requiring rigorous Article 28 contracts and transfer mechanisms.
GDPR, Art. 37(1)(b); Law 58/2019, Art. 13
Marketing & Data
Direct marketing, profiling and the use of cookies raise specific duties of consent, transparency and the right to object, at the intersection of the GDPR and the ePrivacy rules.
GDPR, Arts. 21–22; Law 41/2004