The data protection officer is an authorized person who oversees the protection of personal data during the processing of personal data by the controller or processor. The data protection officer shall be designated on the basis of his or her professional qualities, in particular on the basis of his or her expert knowledge of data protection law and practices and on the basis of his or her ability to perform the tasks set out in Article 39 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
In performing their duties, the data protection officer shall duly take into account the risks associated with processing operations, taking into account the nature, scope, context, and purposes of the processing. In the performance of their duties, they are bound by a duty of confidentiality or professional secrecy in accordance with Union or Member State law.
Is the appointment of a data protection officer an obligation or a right?
According to Article 37 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, the controller and the processor shall designate a data protection officer in any case where:
- § the processing is carried out by a public authority or a body governed by public law, with the exception of courts acting in their judicial capacity,
- § the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale,
- § the core activities of the controller or processor consist of the processing of special categories of data referred to in Article 9 on a large scale or the processing of personal data relating to criminal convictions and offenses referred to in Article 10.
A group of undertakings may designate a single data protection officer, provided that the data protection officer is easily accessible from each establishment.
Where the controller or processor is a public authority or a body governed by public law, a single data protection officer may be designated for several such authorities or bodies, taking into account their organizational structure and size.
In cases other than those referred to in paragraph 1, the controller or processor, or associations and other bodies representing categories of controllers or processors, may designate a designated person or, where required by Union or Member State law, shall designate a designated person. The data protection officer may act on behalf of such associations and other bodies representing controllers or processors.
Who can be a data protection officer?
The data protection officer shall be independent of the controller or processor. He or she reports directly to the senior management of the controller or processor. He or she may be employed by the controller or processor, or may perform his or her duties as an external data protection officer under a service agreement.
The data protection officer is appointed based on their professional qualifications, in particular their expertise in the law and procedures related to personal data protection, and their ability to perform the duties.
The controller and the processor are required to publish, for example on their website, the contact details of the data protection officer and to notify the Office for Personal Data Protection.
What are the duties of the data protection officer?
According to Article 37 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, the data protection officer has the following duties:
- providing information and advice to the controller or processor and to the employees who carry out processing regarding their obligations under this Regulation and other Union or Member State data protection legislation,
- monitoring compliance with this Regulation, with other Union or Member State legislation relating to the protection of personal data, and with the controller’s or processor’s policies regarding the protection of personal data, including the allocation of responsibilities, raising awareness and providing training for staff involved in processing operations and related audits,
- providing advice, upon request, regarding the data protection impact assessment and monitoring its implementation pursuant to Article 35,
- cooperating with the supervisory authority,
- acting as a point of contact for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 and, where appropriate, consultation on any other matters.
