Frequently asked questions about Data Protection Officers

The contact details of the Data Protection Officer must be available to the public, e.g. on the organisation's website. The Data Protection Officer can also have a dedicated customer service telephone number or contact form.

The e-mail address of the Data Protection Officer can be, for example, [email protected] Publishing the name of the Data Protection Officer is optional.

The Data Protection Officer's contact details must be easily accessible. Data subjects can contact the Data Protection Officer in all matters related to the processing of their personal data or the exercise of the rights of the data subject.

The Data Protection Officer must be independent and cannot have conflicts of interest with the duties of the Data Protection Officer. As every organisation is different, such conflicts of interest must be evaluated on a case-by-case basis.

The Data Protection Officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the Data Protection Officer.

No specific qualification requirements have been provided for. Nevertheless, tasks such as the extensive processing of special categories of personal data can impose practical requirements on the DPO’s qualifications.

When appointing a Data Protection Officer, you need to consider the candidate’s qualifications, especially his or her familiarity with data protection legislation and practices, along with the candidate's capability to perform his or her duties. Among other things, Data Protection Officers are responsible for ensuring that the organisation complies with data protection legislation. Their duties also include advising the controller or processor and employees who process personal data in matters involving data protection.

The GDPR requires an organisation to appoint a Data Protection Officer if it

• processes sensitive data on a large scale;
• monitors individuals regularly, systematically and on a large scale; or
• is a public authority other than a court of law.

This obligation provided for in the GDPR has been interpreted to mean that you need to have a designated Data Protection Officer at all times.

You can designate a Data Protection Officer even if the GDPR does not require you to. When an organisation appoints a Data Protection Officer voluntarily, the requirements of the GDPR concerning the appointment, position and duties of the Data Protection Officer apply just as if designating the Data Protection Officer would have been mandatory.

An organisation is required to appoint a Data Protection Officer if it

• processes sensitive data on a large scale;
• monitors individuals regularly, systematically and on a large scale; or
• is a public authority other than a court of law.

This obligation provided for in the GDPR has been interpreted to mean that a designated Data Protection Officer must be available at all times.

Organisations must therefore provide holiday cover for their Data Protection Officer. The processing of personal data breach reports and data subjects’ requests to exercise their rights must not be delayed due to the Data Protection Officer’s absence.

The person covering for the Data Protection Officer should also ideally be impartial.

The Data Protection Officer’s e-mail address should ideally be specific to the role, such as [email protected]  This allows the person covering for the Data Protection Officer to also read the e-mails and ensures smooth communication during the Data Protection Officer’s absence and in connection with personnel changes.

Controllers and processors have a duty to ensure that personal data are processed in accordance with the rules. Staff need to be trained and given advice and instruction. Staff’s data protection competence can also be measured by means of various tests.

Training and instruction can cover, for example,

• what constitutes personal data,
• how should personal data be processed,
• what kinds of personal data can be processed (on a needs basis only),
• which information systems are used to process personal data,
• how information security and user access are managed,
• what to do in the event of a personal data breach (if, for example, an e-mail is sent to a wrong address), and
• the identity and responsibilities of the organisation’s Data Protection Officer and what kind of help they can provide to other members of staff.

It is also important to identify any other organisation-specific and industry-specific personal data processing needs and to tailor training and instruction to meet those needs.

Controllers need to be able to demonstrate their compliance with the obligation to provide training and instruction.