They must mandatorily appoint a Data Protection Officer all public administrations, public entities and in general all entities (entities and enterprises) that in their main activities process personal data on a large scale.
Personal data means all information that identifies or makes identifiable, directly or indirectly, a natural person therefore personal data (name and surname, tax code, IP address, license plate number), sensitive data, relating to health or sex life, genetic, judicial and biometric data.
Businesses, which do not fall under the legal obligation, however, may still decide to have a DPO.
The data controller must communicate the contact details of the DPO by then reporting his or her appointment to the supervisory authority, i.e., the Data Protection Authority of the relevant country, through the appropriate online procedure.