1. According to art. 38 para. 3 GDPR, Data Protection Officer (DPO) “responds directly to the highest level of the operator’s leadership”.
2. For reason identity, DPO designation should be done by the highest level of management.
3. The highest level of leadership is, for societies and associates, the general assembly.
4. Of course, the general meeting may delegate the task of designating the DPO to another governing body, but the DPO remains in charge of the general meeting.