Designating a data protection officer

A data protection officer must be designated if your organisation

processes sensitive data on a large scale
monitors individuals regularly, systematically and on a large scale or
your organisation is a public authority (with the exception of courts).

The data protection officer must be independent and cannot have conflicts of interest with the duties of the data protection officer. As every organisation is different, such conflicts of interest must be evaluated on a case-by-case basis.

The data protection officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the data protection officer.

Communicating the contact details of the Data Protection Officer

The contact details of the data protection officer must be communicated to the Office of the Data Protection Ombudsman.

The data protection officer's contact details must also be directly and easily accessible to the public. Data subjects can contact the data protection officer in all matters related to the processing of their personal data or the exercise of rights based on the GDPR. For example, the data protection officer can have a dedicated customer service telephone number or contact form on the company’s website.

If a personal data breach that must be communicated to the data subjects and data protection authority occurs within the organisation, the name and contact details of the data protection officer or other contact person for providing additional information must be included in the report.

Designating a data protection officer

Who cannot serve as a data protection officer?

Can I designate a data protection officer on a voluntary basis?

Communicating the contact details of the Data Protection Officer

Common topics