What are the GDPR requirements regarding the appointment of Data Protection Officer?
General Data Protection Regulation (“GDPR’) introduces a number of obligations for public and private sector, both challenged to build and demonstrate compliance with the complex set of data protection rules. The designation of Data Protection Officer emerges in certain cases as one of the mandatory requirements.
According to Regulation (EU) 2016/679, Section 4, Art. 37, Para 1), the controller and the processor shall designate a data protection officer in any case where:
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;
the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
Staff member or external expert fulfilling the tasks on the basis of a service contract are the options referred to in the Regulation. However, the organizations must ensure that the DPO is acting independently and is not faced with a conflict of interests in relation to their tasks and duties.
The designation of Data Protection Officer should be a well-considered decision. Prior taking this important step, you could approach us for an initial consultative meeting. Contact us on: