An organisation is required to appoint a Data Protection Officer if it
- processes sensitive data on a large scale;
- monitors individuals regularly, systematically and on a large scale; or
- is a public authority other than a court of law.
This obligation provided for in the GDPR has been interpreted to mean that a designated Data Protection Officer must be available at all times.
Organisations must therefore provide holiday cover for their Data Protection Officer. The processing of personal data breach reports and data subjects’ requests to exercise their rights must not be delayed due to the Data Protection Officer’s absence.
The person covering for the Data Protection Officer should also ideally be impartial.
The Data Protection Officer’s e-mail address should ideally be specific to the role, such as [email protected] This allows the person covering for the Data Protection Officer to also read the e-mails and ensures smooth communication during the Data Protection Officer’s absence and in connection with personnel changes.