Frequently asked questions about Data Protection Officers

The contact details of the Data Protection Officer must be available to the public, e.g. on the organisation's website. The Data Protection Officer can also have a dedicated customer service telephone number or contact form.

The e-mail address of the Data Protection Officer can be, for example, DPO@organisation.com. Publishing the name of the Data Protection Officer is optional.

The Data Protection Officer's contact details must be easily accessible. Data subjects can contact the Data Protection Officer in all matters related to the processing of their personal data or the exercise of the rights of the data subject.

The Data Protection Officer must be independent and cannot have conflicts of interest with the duties of the Data Protection Officer. As every organisation is different, such conflicts of interest must be evaluated on a case-by-case basis.

The Data Protection Officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the Data Protection Officer.

No specific qualification requirements have been provided for. Nevertheless, tasks such as the extensive processing of special categories of personal data can impose practical requirements on the DPO’s qualifications.

When appointing a Data Protection Officer, you need to consider the candidate’s qualifications, especially his or her familiarity with data protection legislation and practices, along with the candidate's capability to perform his or her duties. Among other things, Data Protection Officers are responsible for ensuring that the organisation complies with data protection legislation. Their duties also include advising the controller or processor and employees who process personal data in matters involving data protection.

The GDPR requires an organisation to appoint a Data Protection Officer if it

• processes sensitive data on a large scale;
• monitors individuals regularly, systematically and on a large scale; or
• is a public authority other than a court of law.

This obligation provided for in the GDPR has been interpreted to mean that you need to have a designated Data Protection Officer at all times.

You can designate a Data Protection Officer even if the GDPR does not require you to. When an organisation appoints a Data Protection Officer voluntarily, the requirements of the GDPR concerning the appointment, position and duties of the Data Protection Officer apply just as if designating the Data Protection Officer would have been mandatory.