Data Protection in Albania

Data protection officers

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

Last modified 28 January 2025

Each natural or legal person processing personal data must designate its data controller or authorised representative and communicate the latter's contact details to the National Authority.

The form for appointing a representative is available on the portal of the National Authority's website.

The data controller shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

The data controller or its authorised representative will be considered the official contact for the National Authority.

In the case of a data officer established abroad:

In accordance with Article 04 (point 02) of Law No. 18-07 concerning the protection of individuals with regard to the processing of personal data (free translation):

"When the data controller is not established in the Algerian territory but uses, for the purpose of processing personal data, automated or non-automated means located in the Algerian territory, excluding processing used solely for transit within the national territory.

In this case, the data controller must notify the national authority of the identity of its representative established in Algeria, who, without prejudice to their personal responsibility, replaces them in all their rights and obligations arising from the provisions of this law and the texts adopted for its implementation."

As in any case, all the forms to be filled are available on the National Authority website or at direct request by e-mail to: [email protected].

Last modified 20 January 2025

There is no requirement to appoint a data protection officer.

Last modified 30 December 2021

Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special security standards apply, it may be necessary to appoint an officer in charge of data security.

Last modified 28 January 2025

No requirement to appoint a data protection officer.

Last modified 20 January 2025

National Ordinance Person Registration

Pursuant to article 8 of the National Ordinance Person the data controller shall execute appropriate technical and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof.

Besides the measures above, the National Ordinance Person Registration does not contain any clauses on appointing a mandatory data protection officer.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

Organizations are not required to appoint a data protection officer. However, the Information Commissioner has issued guidance recommending that organizations appoint a data protection officer as good practice.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if one of the following conditions are met:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Austria regulation

The DSG contains in its Section 5 some additional regulation in respect to the rights and obligations of the DPO. Thereunder, the DPO and all persons working for the DPO are obliged to retain confidentiality regarding the identity of the persons that have approached the data protection officer as well as regarding all the circumstances that could reveal the identity of such persons.

Under certain circumstances, the DPO and their assistant personnel have the right to refuse testimony regarding the data obtained in their capacity as data protection officer, if a person employed in a position subject to the data protection officer's supervision is entitled to such right and to the extent that person has exercised such right. All files and other documents of the data protection officer which are subject to this statutory right to remain silent in the aforementioned extent cannot be lawfully seized.

Further regulations in Section 5 concern the DPOs of public organizations.

Last modified 20 January 2025

The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing and protection of personal data.

Last modified 15 February 2022

There is no statutory duty to appoint a Data Protection Officer under DPA.

Last modified 28 January 2025

Data controllers may voluntarily appoint a data protection officer. The Authority's Board of Directors may also issue a decision requiring specific categories of data controllers to appoint data protection officers. However, in all instances, the data controller must notify the Authority of such an appointment within three days of its occurrence.

A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the PDPL The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the data protection supervisor becomes aware of and maintaining a register of processing operations that the data controller must notify the Authority about.

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must be registered in that register.

Last modified 20 January 2025

No requirements.

Last modified 3 January 2024

The data controller and the data processor must designate a data privacy officer where:

the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their judicial capacity;
the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

The data privacy officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the duties and functions as set out under the Act.

Last modified 28 January 2024

Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control functions. The legislation establishing obligations of different positions stipulates that the specialist of internal control over personal data processing shall have higher education, while no requirements for work experience are established.

Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on the number of persons who shall complete training at NPDPC.

Moreover, a legal entity, including state body, processing personal data shall create information protection systems to secure information in their information systems used for processing of such data. As a part of creation of such system the entity should establish special department or appoint employee responsible to take required technical and cryptography information protection measures. According to the Information Protection Edict, the employees of such department (responsible employee) are required to have higher education in the sphere of information protection security or other higher or specialised secondary or professional - technical education and undergo training on the issues of technical and cryptographic information protection.

If for some reasons respective departments / employees cannot take such measures themselves, a special organisation licensed to perform activities on technical and / or cryptography information protection may be involved.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

Belgium regulation

In addition to the GDPR, the Data Protection Act requires the appointment of a DPO depending on the impact of the processing activity, namely if it may entail a high risk as referred to in article 35 of the GDPR when (i) a private law body processes personal data on behalf of a federal public authority or a federal public authority transfers personal data to this private law body in the context of police services¹ or (ii) the processing falls under the exception necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes². Some public authorities regulated by the Data Protection Act are also required to appoint a DPO³.

The Data Protection Authority has addressed the GDPR requirements for the appointment of DPOs and the exercise of its tasks in several cases, including in relation to the position of the DPO and its independence, the obligation to directly report to the highest management level, the necessary resources to carry out his tasks and the requirement that a DPO must have “expert knowledge”.

Footnotes

1. Art. 21 Data Protection Act.
2. Art. 190 Data Protection Act.
3. The Center for Missing and Sexually Exploited Children (Child Focus) Art. 8 para. 3 Data Protection Act; Competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security implementing Directive 2016/680 Art. 63 et seq Data Protection Act; Intelligence and security services Art. 91 Data Protection Act; Bodies for security clearances, certificates and recommendations Art. 124 Data Protection Act; Coordination Unit for Threat Assessment Art. 157 Data Protection Act.

Last modified 31 December 2024

According to the Article 430 of the Digital Code, a Data Protection Officer (DPO) must be appointed when the data controller is a state-owned organization or when the activities of the data controller or data processor involve monitoring individuals or processing of sensitive data on a large scale.

Although the Digital Code does not impose a strict duty for the appointment of a DPO, organizations with a DPO are exempt from notifying the APDP of data processing (Article 408 of the Digital Code).

Last modified 20 January 2025

Organisations covered by PIPA are required to appoint a "privacy officer" for the purposes of compliance with PIPA and communication with the Privacy Commissioner.

Last modified 28 January 2024

There is no mandatory requirement to appoint a formal data security officer or data protection officer.

Last modified 24 January 2022

Personal Data Protection Act BES

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

There is no statutory obligation that the entity which processes personal data has a data protection officer. The Rules on the Manner of Keeping and Special Measures of Personal Data Technical Protection (Official Gazette of BiH no. 67/09) (Rules) stipulate that a controller can have an administrator of the Database. Such administrator is a natural person authorized and responsible for managing the Database and ensuring privacy and protection of personal data processing, in particular regarding implementation of security measures, storage and protection of data.

Unlike DP Law, the Draft Data Protection foresees the obligation of data controller and processor to ensure properly and timely involvement of the data protection officer in all issues related to the protection of personal data. Position and tasks of data protection officer envisaged by Draft Data Protection Law correspond to those prescribed by GDPR.

Last modified 20 January 2025

A data controller has the option to appoint a data protection representative who holds the requisite qualifications, their role being to independently ensure that personal data is processed in a correct and lawful manner, and in accordance with good practice.

The data protection representative is responsible for keeping a list of the processing carried out and the list should be immediately accessible to any person applying for access. Upon identifying any inadequacies, the data protection representative should bring such inadequacies to the attention of the data controller and assist in ensuring that the data subject’s rights under the DPA are protected.

Where a data protection representative has been appointed, the notification to the Commissioner regarding wholly or partially automated processing operations is not required.

If a data protection representative has reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after the contravention is pointed out, the data protection representative must then notify the Commissioner.

The appointment and removal of a data protection representative must be notified to the Commissioner.

Last modified 20 January 2025

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data processing operations. The DPO is responsible for the following:

Accepting complaints and communications from data subjects and the National Authority
Providing guidance to employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

On July 16, 2024, the National Data Protection Authority (ANPD) published Regulation CD/ANPD 18/2024, which provides that data processors are not required to appoint a DPO, but it shall be considered as good practice by the ANPD. The appointment of a DPO is also not required for small businesses, startups, and innovative companies, as defined by the law, except for those performing data processing activities which incur in high risks for data subjects^[1] , pursuant to ANPD Regulation CD/ANPD 02/2022.

Regulation no. 18/2024 also provides that the appointment of the DPO must be made through a formal act, ie, a written document, dated and executed, which clearly and unequivocally demonstrates the data processing agent’s intention to appoint a natural person or a legal organization as DPO, including the DPO’s roles and activities.

According to the mentioned Regulation, the DPO may be (i) a natural person, either internal or external to the data processing agent (controller or processor), or (ii) a legal organization. The DPO is required to be able to communicate with data subjects and with the ANPD in a clear and precise manner and in Portuguese.

In addition, the DPO’s identity and contact information shall be publicly available, in a clear and objective manner, in highlighted and easily accessible place on the organization’s website. If the DPO is a natural person, their full name must be disclosed, and if the DPO is a legal organization, it must be disclosed the company’s name and fantasy name, as well as the full name of the natural person responsible for the company.

Even though the DPO may carry out more than one activity within an organization, the DPO may not be responsible for functions within the same organization that could result in a conflict of interest, such as carrying out activities that involve making strategic decisions related to the processing of personal data by the controller, which does not include making decisions related to the processing of personal data which is inherent to the exercise of the DPO's duties.

Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact information of the DPO with the ANPD.

^[1] The following entities are considered Small-Sized Processing Agents:

micro-enterprises and small size businesses, as defined by Art. 41, Law No 14,195/2021
entrepreneur, as defined by the Civil Code No 10,406/2002
start-ups, as defined by Law No 182/2021
non-profits organizations
natural persons and depersonalized private entities who carry out treatment of personal data, assuming typical controller or operator obligations.

Small-Sized Processing Agents must not earn gross revenue higher than BRL 4.800.000,00, or, in the case of start-ups BRL 16.000.000,00, nor belong to an economic group whose global revenue exceeds the limits, as defined by the corresponding laws or perform high-risk processing. According to the Regulation, a high-risk data processing activity meets at least one general and one specific criteria among those listed in the Regulation. General criteria are: (i) processing of personal data in large scale; and (ii) processing of personal data which may significantly affect the data subjects’ interests and fundamental rights, while specific criteria is (i) use of emerging or innovative technologies; (ii) vigilance or control of public accessible areas; (iii) decisions made exclusively with basis on automated data processing; and (iv) use of sensitive data or personal data belonging to children, adolescents and elderly people.

Last modified 28 January 2024

There is no requirement under the DPA for a data protection officer to be appointed.

Last modified 28 January 2025

At present no legal requirement.

It is anticipated that the PDPO will require an organization to appoint a data protection officer who shall be responsible for ensuring that the organization complies with the PDPO and develops and implement policies and practices that are necessary to meet its obligations under the PDPO including a process to receive complaints. AITI have expressed the possibility of them issuing advisory guidelines to provide clarity and guidance on the topic of Data Protection Officers in the future.

Last modified 3 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Bulgaria regulation

The Personal Data Protection Act does not set an explicit requirement to appoint a data protection officer ("DPO"), thus the general requirement pursuant to the GDPR applies. Pursuant to the Personal Data Protection Act, data controllers are obliged to communicate the personal details and contact details of the DPO, as well as any subsequent replacements, before the Commission for Personal Data Protection, and will also have to publish their contact details. An approved notification form, which was recently updated by the Commission for Personal Data Protection, is available online (only in Bulgarian language).

Last modified 27 December 2024

We have not identified any obligation to appoint a data protection officer ('DPO') or any other equivalent role in the law.

Last modified 20 January 2025

There is no requirement to appoint a data protection officer.

Last modified 17 January 2024

Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in Cambodia.

Last modified 20 January 2025

Article 38 of the draft of 2024 data protection law provided for the mandatory appointment of a DPO not on the basis of the size of the company but rather on the type and quantity of data processed, the systematic nature of the processing or the number of persons concerned by the processing carried out by the company.

The final version of the law adopted did not include this provision. It is therefore likely that this point will be regulated in the decree implementing the 2024 law on data protection or a subsequent regulatory text of the Ministry of Posts and Telecommunications.

Last modified 6 January 2025

PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the obligations under the respective statutes.

The Quebec Private Sector Act, as modified by Bill 64, requires organizations to appoint a person responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the organization. By default, the person with the highest authority within the organization will be the person responsible for the protection of personal information, however this function can be delegated to any person, including a person outside of the organization.

This person’s responsibilities are broadly defined in the law and include:

Approval of the organization’s privacy policy and ‎practices
Mandatory privacy impact assessments
Responding to and reporting security breaches, and
Responding to and enacting access and ‎rectification rights

The contact information of the person responsible for the protection of personal information must be published online on the website of the organization. The delegation must be done in writing.

Last modified 26 January 2023

The appointment of a data protection officer is mandatory when:

processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 8 (sensitive data) or personal data relating to criminal convictions and offences referred to in Article 11 (criminal convictions and offences).

Last modified 16 January 2025

There is no requirement for organizations to appoint a data protection officer under the DPA, though this may be recommended for larger or complex organizations.

Last modified 28 January 2025

There are no specific provisions relating to the appointment of a Data Protection Officers (DPO) under the Act. This issue is left at the exclusive discretion of the data controllers.

Last modified 6 January 2025

The PDPL does not require the appointment of a Data Protection Officer.

Last modified 28 January 2023

Under the PIPL, organisations which meet certain data processing volume thresholds (as yet unspecified by the CAC) are required to appoint a Data Protection Officer (DPO), and to register the name(s) and contact details of the responsible person with the relevant data protection authority.

For organisations based outside of the PRC, but processing PRC personal information, a specific representative or organisation within the PRC should be appointed, and details reported to the data protection authority.

Details of how and when the DPO or representative (as the case may be) should be registered is awaited.

Whilst the authorities have yet to announce the volume threshold for DPO requirements applicable under the PIPL, the PIS Specification requires an organization to appoint a data protection officer and a data protection department if the organization:

has more than 200 employees and its main business line involves data processing;
processes personal information of more than 1,000,000 individuals, or is estimated to process personal information of more than 1,000,000 individuals; or
processes sensitive personal information of more than 100,000 individuals.

Last modified 20 January 2025

There is no requirement to appoint a formal data protection officer in Colombia. However, companies are required to appoint either a specific person, or a designated group within the company to be in charge of personal data matters, specifically the handeling of Data Subject rights and privacy request .

Last modified 28 January 2024

Obligation to designate a CPDCP

According to Article 5 of Law 2013-450, the processing of personal data is subject to a prior declaration to the ARTCI. However, this obligation to declare may be waived if the controller designates a CPDCP, except in the case of the transfer of personal data to a third country. The designation of a CPDCP is therefore a choice that exempts the declaration, and not a legal obligation (Article 6 of the aforementioned law).
When the data controller opts to designate a CPDCP, it must notify the ARTCI of this designation (Article 6 of the Order on the correspondent's profile).
The CPDCP is responsible for independently ensuring compliance with the legal obligations relating to the protection of personal data.

Qualifications required for the CPDCP

Law no. 2013-450 stipulates that the CPDCP must have the necessary qualifications to carry out his or her duties.
Order No. 511/MPTIC/CAB of 11 November 2014 specifies the profile required for the CPDCP, which differs depending on whether it is a natural or legal person:
- For natural persons:
  - Be of Ivorian nationality (implied)
  - Have at least a BAC+4 level in the fields of legal sciences, computer science or telecommunications/ICT networks, or an equivalent diploma
  - At least two years' professional experience in these fields
  - Proven competence in personal data protection
  - Have a good knowledge of database management and operating systems, data storage methods and information systems security policies
  - Mastery of office automation tools and the internet
  - Excellent interpersonal and organisational skills
  - Not to have been the subject of a final criminal conviction or a ban on exercising an activity, handed down by an Ivorian or foreign court, or of a sanction handed down by ARTCI
- For legal entities:
  - Be a legal person under Ivorian law
  - Prove that they are tax-compliant and that they are registered with social security institutions
  - Have been active for at least five years in the fields of legal sciences, information technology or telecommunications/ICT networks, and provide proof of this
  - Have insurance covering professional risks relating to the protection of personal data
  - Have staff with at least the profile of a CPDCP, natural person

It is important to note that the controller cannot be designated as a CPDCP.

A natural person CPDCP can only be designated by a single controller and carry out his duties only with the latter. On the other hand, a legal entity may be appointed by several data controllers.

Duties of the CPDCP

The CPDCP is responsible for ensuring, in an independent manner, compliance with the legal obligations relating to the protection of personal data.

Its main missions, defined by Law No. 2013-450, and specified by Order No. 511/MPTIC/CAB include:

Maintaining the list of data processing carried out
Keeping a copy of the codes and passwords required to access files relating to processing
Provide access to data to any data subject who requests it in order to exercise their rights
To ensure compliance with legislation on the protection of personal data
To inform and advise the data controller and employees on legal obligations in relation to data protection
Notify the data controller of any breaches of legislation observed
Notify the ARTCI of uncorrected breaches within three months of reporting to the controller
Notify the ARTCI of any difficulties encountered in carrying out its duties

Other important elements

The appointment of the CPDCP must be notified to the ARTCI.
The ARTCI has 30 days to object to the designation if the CPDCP does not meet the required profile.
The CPDCP may not be sanctioned by his employer for the performance of his duties.
The controller may replace the CPDCP for a legitimate reason, after informing the CPDCP and giving him/her the opportunity to present his/her observations. The replacement must also be notified to the ARTCI.
Decree No. 2015-79 specifies that applications to file a declaration and authorisation for the processing of personal data must be submitted by a natural person resident in Côte d'Ivoire or a legal person under Ivorian law.

Last modified 6 January 2025

There is no requirement for a data protection officer.

Last modified 28 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Croatia regulation

The Act does not contain any special requirements related to data protection officers, other than those imposed by the GDPR. AZOP however must be informed on appointment and change of the DPO.

Last modified 16 January 2025

There is no general requirement under binding Cuban rules for organisations to appoint a data protection officer.

Last modified 16 February 2022

National Ordinance Personal Data Protection

Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

According to the Law, the Commissioner may draw up and make available to the public a list of the processing operations and / or other instances which shall deem necessary the designation of a data protection officer (the “DPO”) by the data controller and the processor. A list of names of data controllers and processors who have designated a DPO may be published on the Commissioner’s website provided the data controller and the processor wish to be included therein.

Last modified 21 February 2022

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 16 January 2024

The Digital Code provides for the possibility to designate a "délégué à la protection des données à caractère personnelles", which is a person responsible for the protection of personal data or Data Protection Officer, without however regulating such role in detail. The Digital Code only provides for some of its duties, namely:

to inform and advise the controller or processor and the employees who carry out the processing on their obligations under the data protection provisions of the Digital Code;
monitoring compliance with the data protection provisions of the Digital Code and with the controller's or processor's internal rules on the protection of personal data, including with regard to the allocation of responsibilities, the awareness and training of staff involved in processing operations, and related audits;
providing advice, on request, on data protection impact assessments and verifying that they are carried out in accordance with the Digital Code;
cooperating with the APD;
acting as a focal point for the authority responsible for the protection of personal data on matters.

Last modified 6 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Denmark regulation

Under the Regulation, organizations shall designate a data protection officer (‘DPO’) in any case where:

the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
the core activities of the data controller or the processor consist of processing operations which, by their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
the core activities of the controller or the processor consist of processing on a large scale of Special Categories of Personal Data and personal data relating to criminal convictions and offences

The DPO shall be selected based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the GDPR.

Under the Danish Data Protection Act, the DPO is subject to a duty of secrecy and is prohibited from wrongful disclosure or use of any personal data processed in their capacity of being DPO.

Last modified 16 January 2025

There is no requirement to appoint a data protection officer under the DPL.

Last modified 28 January 2025

Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities, provided that it does not give rise to a conflict of interests.

DPOs must exercise their duties in a "professional manner" for the controller or processor, though it is possible to outsource the DPO role to a service provider.

The DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks.

The specific tasks of the DPO include:

to inform and advise on compliance with the Personal Data Protection Organic Law;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the Superintendence of Data Protection.

Last modified 28 January 2025

Pursuant to Article (8) of the Law, the legal representative of the juristic person of any of the controller or the processor shall appoint a competent employee as a Data Protection Officer (the “DPO”) within its entity to be responsible for personal data protection. Such DPO must be registered on the DPO register at the Centre. The DPO shall be responsible for enforcing the provisions of the Law and the decisions of the Centre, as well as monitoring and supervising the procedures applicable within the entity and receiving requests related to personal data. The DPO shall, in particular undertake the following:

Perform a regular evaluation and inspection of the personal data protection systems and avoid infringement thereto as well as documenting the results of such evaluation and issuing the necessary recommendations for its protection.
Act as a direct contact point with the Centre and implement its decisions, with respect to the application of the provisions of the Law.
Enable the data subject to practice its rights stipulated under the Law.
Notify the Centre of the occurrence of any breach of personal data within his entity.
Reply to the requests submitted by the data subject or any relevant person and reply to the complaints filed by them to the Centre.
Follow-up the registration and update the personal data records held by the controller, or the processing activity records held by the processor, to guarantee the accuracy of the data and information recorded therein.
Eliminate any transgressions related to personal data within its entity and undertaking the corrective actions related thereto.
Organise the necessary training programs for the employees of the relevant legal entity, which are required to have sufficient qualifications that comply with the requirements stipulated by the Law.

Last modified 19 January 2024

To this date, only Public Offices/Institutions are required to appoint a Public Information Access Officer, but no Data Protection Officer regulation is in place.

Last modified 28 January 2024

The Governing Data Protection Body through its Technical Secretariat is responsible for ensuring the administration of personal data files, regardless of their ownership, is done in due compliance with the provisions of the law.

Last modified 6 March 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Estonia regulation

In relation to DPOs, the PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.

Last modified 16 January 2025

There is no requirement to appoint a data protection officer.

Last modified 12 January 2023

None.

Last modified 31 January 2023

None.

Last modified 3 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Finland regulation

In Finland the new Data Protection Act does not contain specific local requirements on data protection officers. However, few special national acts stipulate mandatory appointment of data protection officers.

For example, in Finland all functional units of healthcare and social welfare as well as pharmacies must appoint a data protection officer under the Act on Electronic Prescriptions 2007/61 (Laki sähköisestä lääkemääräyksestä), and under The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007) (Laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä).

Last modified 4 January 2023

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

France regulation

The Law provides that controllers processing personal data under the scope of the EU Data Protection Directive on Police and Criminal Justice Cooperation must appoint a DPO, with the exception of jurisdictions acting within the scope of their judicial activity.

The Decree specifies the mandatory information to be communicated to the CNIL by data controller(s) or processor(s) in the DPO notification form.

On 20 September 2018, the CNIL issued two standards regarding the certification of DPO skills: one regarding the skills and know-how expected to be certified as DPO (CNIL Deliberation No. 2018-318), and the other one regarding the criteria applicable to certifying DPO organizations (CNIL Deliberation No. 2018-317). These Deliberations were recently updated notably to adapt the procedure of accreditation of the organizations authorized to certify the DPOs’ skills and to enable candidates to take the certification test remotely (CNIL Deliberation No. 2022-128 and CNIL Deliberation No. 2023-062).

On March 2022, the CNIL also published a Guide for DPOs that combines useful knowledge and best practices to help organizations in appointing and supporting DPOs.

Last modified 5 January 2025

Under the new law on personal data, the appointment of a DPO is no longer left exclusively to the discretion of the data controller. Indeed, the law establishes specific situations in which a DPO must be appointed, thus limiting the discretionary power of the data controller. These conditions, governed by article 125, are as follows:

Where the processing is carried out by a public authority or public body, with the exception of courts acting in the exercise of their judicial function;
Where the basic activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic large-scale monitoring of the data subjects; Where the basic activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic large-scale monitoring of the data subjects;
Where the basic activities of the controller or processor consist of large-scale processing of sensitive data and data relating to convictions for criminal offences.

In addition, according to article 130 of the aforementioned law on personal data, this position must be held by a person with the qualifications required to carry out his or her duties, namely professional qualities, particularly relating to knowledge of the law and matters relating to data protection.

According to Article 138, the Data Protection Officer is responsible for ensuring that data processing is compliant. His duties cover all processing carried out by the body that appointed him. In this capacity, he is responsible for:

informing and advising the data controller or data processor, as well as the people in the organisation who process the data, of their obligations under this law;
monitoring compliance with this law and with the internal rules put in place by the data controller or data processor with regard to data protection, including the allocation of responsibilities and the awareness and training of staff involved in data processing and auditing operations;
giving an opinion on data protection impact assessments and checking that they have been carried out;
to cooperate with the APDPVP, including in the event of prior consultation by the controller when a data protection impact assessment is carried out, and to consult, as appropriate, on any other matter.

Last modified 6 January 2025

As per the Data Protection Law (Article 33), public institutions, insurance organizations, commercial banks, micro-finance organizations, credit bureaus, electronic communication companies, airlines, airports, and medical institutions, as well as controllers / processors processing the data of a significant number of data subjects or carrying out systematic and large-scale monitoring of their behavior, are obliged to appoint or designate a personal data protection officer. The personal data protection officer on the other hand, shall:

inform a controller, a processor and their employees on matters related to data protection, including on matters related to the adoption or modification of regulatory legal norms, and provide them with consultation and assistance in terms of the methodology used;
participate in the development of internal regulations related to data processing and the data protection impact assessment document, and also monitor whether a controller or a processor complies with the legislation of Georgia and the internal organizational documents;
analyze received applications and grievances regarding data processing and make appropriate recommendations;
receive consultations from the Personal Data Protection Service, represent a controller and a processor in the relationship with the Personal Data Protection Service, submit information and documents at its request, and coordinate and monitor the execution of its tasks and recommendations;
in the event of an application by a data subject, provide him / her with information on data processing and his / her rights;
perform other functions for ensuring the improvement of standards of data processing by a controller and a processor.

Except for the cases provided for in the beginning (first paragraph), other controllers / processors have the right, at their own discretion, to appoint or designate a personal data protection officer. It is to be noted that, the function of a personal data protection officer may be performed by an employee of a controller or a processor or by other person(s) on the basis of a service contract. The personal data protection officer has the right to perform other functions unless they give rise to a conflict of interest.

Furthermore, a controller or a processor is allowed to appoint or designate a common personal data protection officer provided that he / she completes his / her functions. If the controller or the processor is a public institution, it is also permissible to appoint or designate a common personal data protection officer for several state institutions, taking into account the organizational structure and size of the said institutions. A personal data protection officer needs to have appropriate knowledge in the field of data protection and be accountable to the highest governance structure, taking into account the specific circumstances.

A controller and a processor are obligated to ensure the proper involvement of a personal data protection officer in the process of taking important decisions regarding data processing, provide him / her with appropriate resources, and ensure his / her autonomy during the carrying out of activities. They are also obliged to provide to the Personal Data Protection Service information on the identity and contact details of a personal data protection officer, who is in charge of making such information public; this needs to be carried out within 10 working days after the appointment or designation and / or replacement of the relevant personal data protection officer. In addition to that, the controller and the processor are obliged to publish the identity and contact details of the personal data protection officer on a website (if any) in a proactive manner, or through other available means. In the case of the temporary absence of a personal data protection officer or the termination of his / her authority, the controller and the processor are obliged, without unjustifiable delay, to grant the authority of the personal data protection officer to another person.

Last modified 6 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single DPO with responsibility for multiple legal entities (Article 37(2)), provided that the DPO is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single DPO).

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Germany regulation

The threshold to designate a DPO is much lower in the BDSG. The controller and processor has to designate a DPO if they constantly employ as a rule at least 20 persons dealing with the processing of personal data by automated means, Section 38 (1) sentence 1 BDSG. The meaning of ‘automated processing’ is interpreted broadly by the German Authorities. It basically covers every employee who works with a computer.

If the threshold of 20 persons is not reached, Section 38 (1) sentence 2 BDSG regulates, that a DPO has to be designated in case the controller or processor undertakes processing subject to a data protection impact assessment pursuant to Article 35 GDPR, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research.

A dismissal protection for the DPO is provided in Section 38 (2) in conjunction with Section 6 (4) BDSG. Where the controller or processor is obliged to appoint a DPO, the dismissal of a DPO, who is an employee, is only permitted in case there are facts which give the employing entity just cause to terminate without notice. After the activity as DPO has ended, a mandatory DPO who is an employee may not be terminated for a year following the end of appointment, unless the employing entity has just cause to terminate without notice.

Additionally, Section 38 (2) in conjunction with Section 6 (5) and (6) BDSG stipulates that the DPO shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless he / she is released from this obligation by the data subject. Also, the DPO has the right to refuse to give evidence under certain conditions.

Moreover, the German supervisory authorities expect that the DPO speaks the language of the competent authority and the data subjects, i.e. German, or at least that instant translation is ensured.

Each supervisory authority maintain a register of DPOs. No fee is charged for registering or updating the details of a DPO.

Last modified 16 January 2025

There is no specific requirement to appoint a data protection officer. However, under the Data Protection Act, 2012 (Act 843) a data controller may appoint a certified and qualified data supervisor to act as a data protection supervisor. The data protection supervisor is responsible for monitoring the data controller’s compliance with the provisions of the Data Protection Act. A person shall not be appointed as a data protection supervisor unless the person satisfies the criteria set by the Data Protection Commission.

Last modified 19 January 2024

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in Gibraltar GDPR, include (Article 39):

to inform and advise on compliance with Gibraltar GDPR and other Gibraltar data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 19 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Greece regulation

Further to the relevant GDPR provisions, the Greek Data Protection Law lays down specific rules on the appointment of DPO by public authorities. The particularity of Greek law is that public authorities can be considered to be exempted from the obligation to publish the contact details of the DPO and communicate them to the HDPA for reasons of national security or confidentiality.

It needs to be noted that the tasks of Data Protection Officer (under Article 37 of GDPR) are incompatible with the tasks of the Information and Communication Systems Security Officer (“Y.A.S.P.E.”, as per its Greek initials), a new role established according to Greek Law 5160/2024 (hereinafter the “Greek Cybersecurity Law"), the national law for the transposition of EU Directive 2022/2555 (NIS2).

Last modified 16 January 2025

Public offices and private parties defined in Art. 6 of the Law on Access to Public Information must implement Public Information Units, pursuant to Art. 19 of the law.

Last modified 21 December 2021

A data protection officer ("DPO") must be appointed where:

processing is carried out by a public authority (other than a court, or tribunal acting in a judicial capacity); or
the core processing operations of the controller or processor require or involve "large-scale and systematic monitoring of data subjects" or "large-scale processing of special category of data".

The ODPA has issued guidance clarifying what is intended by the use of the term "large-scale processing", noting that this term is not defined in either the GDPR or the DPL 2017.

The ODPA's guidance references the guidance on the appointment of DPOs ("DPO Guidelines") issued by the EU's former advisory body (previously known as the Article 29 Working Party and now replaced by the European Data Protection Board ("EDPB")). The ODPA advises controllers and processors to take into account the terms of both the GDPR and the DPO Guidelines when assessing whether or not a DPO is required to be appointed. It also clarifies that small businesses in Guernsey are, as a general rule, unlikely to be undertaking large-scale processing unless they work with large databases of customers or other types of data subjects. Finally, the ODPA expects controllers and processors to review the scope and nature of processing periodically to ascertain whether or not their prior assessment remains valid or if there are sufficient factors to warrant appointing a DPO. All controllers and processors should document their decision-making and the outcome of such reviews.

Last modified 16 January 2025

A data controller will have the option to appoint a data protection officer. According to article 14 and following of Law on Cybersecurity and Personal Data Protection, the data protection officer must be a person qualified to perform such tasks. He must keep a list of the processing operations carried out which is immediately accessible to any person who requests it, and may not be subject to any sanction by his employer as a result of the performance of his duties.

The appointment of a data protection officer by the data controller must be notified to the authority responsible for personal data protection. This appointment must also be brought to the attention of the employer's staff representative bodies.

Last modified 20 December 2021

N/A.

Last modified 16 January 2025

Only Obligated Entities must appoint a data protection officer.

Last modified 10 February 2025

Currently, there is no legal requirement for data users to appoint a data protection officer in Hong Kong. However, the PCPD issued a best practice guide in February 2014 (which was further revised in March 2019) to advocate the development of a privacy management program and encourage data users to appoint or designate a responsible person to oversee the data users' compliance with the Ordinance. There is no specific requirement for a Hong Kong citizen or resident to hold this role. There is no specific enforcement action or penalty if a company does not appoint a data protection officer.

Last modified 20 January 2025

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 11 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Iceland regulation

Iceland did not extend the requirement to appoint a Data Protection Officer, cv. Article 37(4) of the GDPR.

The DPA defines a public authority or body in accordance with Article 1 of the Administrative Procedures Act no. 37/1993. The term public authority refers to all parties, institutions, committees, etc. which are governed by state and local government. According to the bill to the DPA, it is regarded desirable that companies entrusted with certain projects for the public interest designate a Data Protection Officer with regard to those projects. Such projects are for example in the field of public transport, road construction and energy utility.

The Data Protection Officer may not disclose any information brought to his or her knowledge in the course of his or her work and covered by the obligation of professional secrecy. Further, the Data Protection Officer has an obligation of confidentiality in accordance with Chapter X of the Icelandic Administrative Procedures Act no. 37/1993.

Last modified 16 January 2025

Under the DPDP Act, Data Fiduciaries are required to appoint a contact person to address any questions that a Data Principal may have about the processing of their personal data.

Significant Data Fiduciaries are required to appoint a Data Protection Officer for the same purpose. The Data Protection Officer is required to be based in India and will be responsible to the board of directors or any similar governing body of the Data Fiduciary. The Data Protection Officer will also be the point of contact for a Data Principal for the purpose of grievance redressal under the DPDP Act.

Pursuant to the Draft Rules, every Data Fiduciary is required to publish on its website / app and in every response to a communication to a Data Principal for the exercise of their rights, the business contact information of the Data Protection Officer / the contact person to address any questions that the Data Principal may have, as the case may be.

Last modified 6 January 2025

There is no requirement in Indonesia for organizations to appoint a data protection officer ("DPO") except in certain situations mentioned below.

The PDP Law formally establishes the position of a data protection officer (DPO) into Indonesian law, which was nonexistent under the General Data Protection Regulations.

The PDP Law only requires data controllers and data processors to mandatorily appoint a DPO if:

the personal data processing is for public service purposes;
the main operations of the data controller require large-scale, frequent and systematic monitoring of personal data; or
the main operations of the data controller involve large-scale personal data processing of specific personal data and / or personal data related to criminal activity.

This DPO shall, at the very least, carry out the functions of:

informing and providing advice to data controllers or data processors regarding compliance with the PDP Law;
monitoring and ensuring compliance with the PDP Law and the internal policies of a data controller or data processor;
providing advice regarding the personal data protection impact assessment and monitoring the performance of data controllers or data processors; and
coordinating and acting as a contact person for issues related to personal data processing.

Further conditions on DPOs will be set out in separate a government regulation, which as at the time of writing is yet to be issued.

Last modified 20 January 2025

There is no requirement to appoint a data protection officer.

Last modified 23 May 2019

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Ireland regulation

Ireland has not yet extended the requirement to appoint a Data Protection Officer (“DPO”). However, Section 34 of the DP Act does provide the Minister for Justice and Equality with the power to make regulations requiring controllers or processors to designate a data protection officer.

In addition, the DP Act requires enhanced “suitable and specific” measures to be implemented in relation to certain processing activities. In such cases, the designation of a DPO (in cases where it is not mandatory under GDPR) is listed in section 36 of the DP Act as one example of such measures.

The DPC maintains a register of DPOs. No fee is charged for registering or updating the details of a DPO.

Last modified 17 January 2025

Appointment of a Data Security Officer is required by an entity meeting one of the following conditions:

a possessor of five databases that require registration;
a public body as defined in Section 23 to the PPL; or
a bank, an insurance company or a company engaging in rating or evaluating credit.

Failure to nominate a Data Security Officer when required to do so may result in criminal sanctions, including administrative fines. The PPL does not require that the Data Protection Officer should be an Israeli citizen or resident.

In the event that a Data Security Officer was appointed pursuant to the PPL, the Israel Protection of Privacy Regulations (Data Security), 5777-2017 ('Data Security Regs') require that the officer be directly subordinate to the database manager / controller, or to the manager of the entity that owns or holds the database. In addition, the Data Security Regs prohibit the officer from being in a conflict of interest and require the officer to establish data security protocols and ongoing plans to review compliance with the Data Security Regs. The officer must present findings from such review to the database manager / controller and its supervisor.

Amendment 13 added a requirement to appoint a Data Protection Officer under the following circumstances: (i) controller is a Public Body as defined in Section 23 of the PPL, (ii) controller of a database with a main purpose of collecting Personal Data in order to transfer it to a third party (data brokers) and the database contains Personal Data of more than 10,000 data subjects, (iii) controllers and processors whose main activities include processing which in light of its nature, scope or purpose require regular and systematic monitoring of data subjects on a Large Scale (as defined in Amendment 13), or (iv) controllers and processors of databases that include Especially Sensitive Data on a Large Scale (as defined in Amendment 13). Large Scale will be determined by, among other things, the number of data subjects whose Personal Data is processed, their proportion within a specific population, the scope and volume of the Personal Data, the variety of data types processed, the duration and frequency of the processing activities, the retention period of the Personal Data, and the geographical area where the processing occurs. The DPO must have the required expertise and abilities to carry out their responsibilities effectively, including in-depth knowledge in privacy protection laws, adequate understanding of technology and security information and the company's operations and goals. The DPO will not take on any additional roles nor be subordinate to any official within the body where they hold their position, or in any other body, if such a role or subordination could create a conflict of interest that would interfere with the performance of their duties. The DPO will report directly to the CEO or another senior executive and may be external to the company. The DPO will advise the company's management and staff on privacy-related issues, design and oversee a privacy training program, establish and maintain ongoing compliance monitoring, address data subject inquiries, and serve as the point of contact with the IPA.

Last modified 25 December 2024

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 16 January 2025

There is no specific legal requirement to appoint a data protection officer. However, some guidelines provide that specific directors or employees should be assigned to control Personal Information (e.g. Chief Privacy Officer).

Last modified 20 January 2025

Data controllers and processors are required (Article 24 DPJL) to appoint a data protection officer if:

Processing is carried out by a public authority (with the exception of courts acting in their judicial capacity)
The core activities of the controller or the processor consist of processing operations that, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale
The core activities of the controller or the processor consist of processing special category data on a large scale, or
It is otherwise required by law

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 24(3) DPJL). However, larger corporate groups may find it difficult in practice to operate with a single data protection officer. The data protection officer must be easily accessible to:

All data subjects
The Information Commissioner, and
The controller or processor who appointed the officer, along with the controller’s or processor’s employees that carry out data processing

Data protection officers (DPOs) must have expert knowledge (Article 24(6) DPJL) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 24(7) DPJL).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 25(1) DPJL), and the DPO must directly report to the highest management level of the controller or processor (Article 25(2) DPJL).

In addition, controllers and processers must:

Ensure that the data protection officer operates independently and does not receive any instructions regarding the performance of those duties, other than to perform them to the best of the officer’s ability and in a professional and competent manner (Article 25(1)(c) DPJL), and
Not dismiss or penalize the data protection officer for performing his or her duties other than for failing to perform them to the best of the officer's ability and in a professional and competent manner (Article 25(1)(d) DPJL)

The specific tasks of the DPO are set out in Article 26 DPJL and include:

Informing and advising on compliance with the DPJL, DPAJL and other applicable data protection laws
Monitoring compliance with the law and with the internal policies of the organization, including assigning responsibilities, raising awareness and training staff
Advising on and monitoring data protection impact assessments, where requested, and
Cooperating and acting as point of contact with the Information Commissioner

Last modified 16 January 2025

Not applicable at present, but see details on the draft law.

Last modified 11 January 2024

Under Kazakh law, an owner and / or operator of a personal data database, which is a legal entity, should appoint a person responsible for organizing the processing of personal data. Such person is obliged to:

exercise internal control over observance by the owner and / or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
inform the employees of an owner and / or operator of the provisions of Kazakh law in respect of processing and protection of personal data;
exercise control over receipt and processing of applications from personal data subjects or their legal representatives.

In addition, an owner and / or operator of a database containing personal data and a third party related to the owner and / or operator should, inter alia, when collecting and processing personal data, determine list of persons carrying out collection and processing of personal data or having access to it.

Last modified 4 February 2025

Section 24 of the Act

The Act makes provisions for the designation of Data Protection Officers (DPOs) but this obligation is not mandatory.

DPOs can be members of staff and may perform other roles in addition to their roles. A group of entities can share a DPO and the contact details of the ODPO must be published on the organisation’s website and communicated to the DPC.

DPOs have the following roles:

Advising the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
Ensuring compliance with the Act;
Facilitating capacity building of staff involved in data processing operations;
Providing advice on data protection impact assessment; and
Co-operating with the DPC and any other authority on matters relating to data protection.

DPO’s under the Regulations also have the following additional roles:

Monitoring and evaluating the efficiency of the data systems in the organization; and
Keeping written records of the processing activities of the civil registration entity.

Last modified 6 February 2025

Controllers and Processors must appoint a data protection officer in the following cases (Article 37 (1)):

The processing is carried out by a public authority or body, except in cases of courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and / or their purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or the processor consist of processing, on a large scale, of sensitive personal data, and processing of personal data related to criminal convictions and offences.

A group of undertakings has the option to appoint a joint data protection officer, provided that the officer remains easily accessible to every entity within the group (Article 37.2). The appointment of a data protection officer is based on their professional knowledge and experience in data protection laws (Article 37.5).

The LPPD outlines the following tasks for data protection officers (Article 39.1):

Informs and advice controllers and / or processors on their obligations when processing personal data;
Where required, provides advice on the data protection impact assessment and monitor its performance;
Cooperate with IPA;
Act as the contact point for the IPA on issues relating to processing of personal data.

Last modified 4 February 2025

The Data Protection Regulation does not explicitly outline the mechanisms and obligations for the appointment of data protection officers, per se. However, service providers must provide CITRA with the contact details of their appointed data protection officer when reporting data breaches.

Last modified 4 February 2025

Under the Law on Personal Data, Holders (Owners) of personal data (ie the data controller) must indicate in its registration the name and contact details of the person that is responsible for the work with personal data. However, the Law on Personal Data does not contain any direct obligations to appoint a Data Protection Officer.

Last modified 4 February 2025

Under the Law on Electronic Data Protection, there is no data protection officer so to speak. The law introduces the idea that a team or an employee is required to supervise the protection of sensitive data; no information is provided on the duties and rights of such team or employee, or their scope of work. Moreover, the team or employee in charge of the protection of sensitive data is not required to register with any authority.

Last modified 8 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale, or
Its core activities consist of processing sensitive personal data on a large scale.

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Latvia regulation

The Personal Data Processing Law provides no derogation from the requirements of the GDPR regarding DPO. The Personal Data Processing Law provides the rules for examining an individual’s knowledge in data protection and obtaining the status of DPO. The Personal Data Processing Law allows data controllers and processors to appoint as a DPO any person who has the qualifications under the requirements of the GDPR.

The October 6, 2020 Cabinet Regulation No 620 “Data Protection Specialist Qualification Regulation” (Regulation No 620) determines in detail the application procedure, the content and procedure of the qualification examination and payment procedures for organizing the qualification exam. However, the qualification examination is not mandatory.

The Regulation No 620 does not set mandatory education requirements. A person who wishes to take the qualification exam, applies the Data State Inspectorate and pays the examination fee. After the person has passed the qualification exam, they are included in the list of the qualified DPOs maintained by the Data State Inspectorate and published on its website.

Regulation No 620 also provides for the maintenance of professional qualifications for DPOs who already have been included in DPOs' list. To maintain their professional qualifications, the DPOs must participate in the training in personal data protection or another field related to the performance of the DPO's duties.

Last modified 4 February 2025

The Law brings no definition of data protection officer.

Last modified 21 December 2022

The DP Act (section 58) authorizes the head of a data controller to designate, by order, one or more officers or employees to be Data Protection Officers of that controller. In terms of that order, the Data Protection Officers may exercise, discharge or perform any of the power, duties or functions of the head of the data controller under this Act.

Last modified 20 December 2021

There is no known or publicly designated Protection Officer, or Officers in Liberia. In the same vein, there is no law requiring the appointment or creation of such posts whether in public or private entities dealing with data.

Last modified 23 February 2024

There is no data protection officer requirement as per Libyan Law.

Last modified 18 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Lithuania regulation

The Data Protection Law does not determine any derogations from the requirements which are set in the GDPR regarding data protection officers.

Last modified 3 February 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Luxembourg regulation

Article 65(1) of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides for a specific obligation to appoint a DPO in the context of processing of personal data for scientific or historical research purposes or statistical purposes. Such appointment must be made in accordance with the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of the relevant data subjects. In this regard, if the data controller elects not to appoint a DPO, it must then formally document and justify why it chose not to appoint a DPO, for each project involving a processing of personal data for scientific or historical research purposes or statistical purposes.

Article 64 of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides that the same applies to processing of special categories of personal data for the purposes defined in Article 9(2)(j) GDPR (ie, processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

Last modified 4 February 2025

There is no legal requirement to appoint a data protection officer in Macau.

Last modified 19 December 2023

The Data Protection Law does require the appointment of a data protection officer (délégué à la protection des données à caractère personnel) in Madagascar provided that the CMIL is operational because the appointed data protection officer (“DPO”) should be notified to the CMIL.

The appointment of a DPO exempts an entity from making prior declarations to the CMIL.

The appointment of a DPO does not exempt an entity from requesting prior authorisation, where necessary (for example where there is a transfer of data to a country that does not provide an adequate level of protection for personal data).

The DPO must be a resident of Madagascar.

Last modified 4 February 2025

Currently, Malaysian law does not require that data users / data controllers appoint a data protection officer (“DPO”). However, under the Amending Act, the data controller or data processor is required to appoint one or more DPOs who shall be accountable to the data controller or data processor for the compliance with the PDPA. Such appointment will not discharge the data controller or data processor from all their duties and functions under the PDPA. This requirement will come into force on June 01, 2025.

The Public Consultation Paper No. 02/2024: The Appointment of Data Protection Officer (“PCP No. 02/2024”) issued by the PDP Department on August 19, 2024, proposes that the mandatory DPO appointment requirement applies only to data controllers or data processors that carry out data processing activities on a “large scale”. Multiple factors will be taken into account in determining whether the data processing activities are deemed to be large scale:

the number of data subjects concerned;
the volume of data and / or the range of different data items being processed;
the nature of the data being processed;
the risk posed to the data subject as a result of the data processing activity carried out by the data controller / data processor;
the duration, or permanence, of the data processing activity; and / or
the geographical extent of the data processing activity.

To prevent the DPO role from becoming redundant, it is also proposed that the DPO be allowed to carry out additional job functions beyond their data-specific roles as a DPO. Additionally, it is also essential to note that the PCP No. 02/2024 proposes that a single DPO is allowed to serve multiple entities within the same group of companies for the data controller or data processor.

The DPO guidelines to be issued under the PCP No. 02/2024 are expected to be released by early next year.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Malta regulation

The Act does not derogate or further regulate from the provisions of the GDPR in this regard.

However, DPOs must be notified to the Commissioner (where Commissioner has jurisdiction) by sending, even via email, the following basic information:

Data Controller identity
name of DPO
position
mailing address
email address
contact number
nature of business
date of appointment, and
whether the DPO is fulfilling this role for other data controllers.

Last modified 18 January 2024

The DPA 2017 provides that every controller shall adopt policies and implement appropriate technical and organizational measures so as to ensure and be able to demonstrate that the processing of personal data is performed in accordance with the Act.

One of such measures is the mandatory requirement for the designation of a data protection officer (DPO) by all controllers and processors.

There can be one DPO for a group of companies, provided he is accessible for each company within the group.

The DPO can be an employee of the controller / processor, provided that there is no conflict of interest (if such position leads to the determination of purposes and means of processing) such as in the case of a chief executive, chief operating, chief financial, chief medical, head of marketing, head of human resource or head of IT.

The DPO can also be someone from outside the organisation.

The DPO needs to have professional experience and knowledge of data protection laws and standards.

The controller / processor is required to ensure that the DPO does not receive any instructions regarding the exercise of his functions-he should work in an independent environment and manner.

Role of DPO

The role of the DPO is to:

advise the controller / processor and its employees about their obligations to comply with data protection laws and monitor compliance;
train staff and conduct internal audits;
advise on DPIAs;
maintain a record of processing operations under his responsibility;
be the first point of contact for the Data Protection Office and for individuals whose data are processed (employees, customers).

DPOs are not personally responsible for non-compliance with data protection requirements. Data protection compliance is the responsibility of the controller / processor.

Last modified 6 January 2025

All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.

Last modified 28 January 2024

The appointment of an internal data protection officer is required, in the following cases:

the processing is carried out by a public authority or institution, with the exception of courts acting in their judicial capacity;
the main activities of the Data Controller or data processors consist of processing operations which, by virtue of their nature, their scope and / or their purposes, necessitate regular and systematic monitoring of data subjects on a large scale; and
the main activities of the Data Controller or data processor consist of large-scale processing of special categories of data.

Last modified 16 January 2025

There is no requirement in Monaco for organizations to appoint a data protection officer.

However, appointing a data protection officer is viewed by the CCIN as evidence of a company’s measure taken in order to ensure compliance with the data protection legislation. In practice however, companies in Monaco do not generally appoint data protection officers.

When appointed in these companies, he is usually responsible for informing and advising the members of the entity on the legal obligations regarding data processing and for cooperating with the CCIN.

Last modified 6 February 2025

Data Controllers must have a unit or personnel in charge with the information and data security. The Data Protection Law provides that Data Controllers and any person who processes the data must adopt internal rules and regulations on:

maintenance of information security; and
measures to be taken in case of data loss and a plan to deliver information to the Data Owner and the relevant state authority.

In this regard, organisations, as a Data Controller and processor, may appoint a data protection officer of their own volition.

Last modified 16 January 2025

Under the DP Law, a data controller is required to appoint a DPO subsequent to the Database's establishment. However, a DPO is not required if the data controller has less than ten employees involved in the processing of personal data.

Last modified 16 January 2025

There is no requirement for a data protection officer under the DP Law.

Last modified 18 January 2024

The Electronic Transactions Law requires the data processor to appoint someone responsible for compliance of the provisions related to electronic personal data protection.

Last modified 16 January 2025

There is no definition for Data Protection Officers, but there is a definition for Personal Data Administrator. The Personal Data Administrator (“PDA”) means “a person and its staff authorized by a government department or an entity having power to conduct the collecting, storing and using of personal data according to the provision of this law or any existing law.” (Section 2(m) of Electronic Transactions Law as amended in 2021).

Last modified 18 December 2024

MICT

Last modified 18 January 2024

Not applicable.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Netherlands regulation

The Implementation Act (Article 39) provides more detailed information regarding the secrecy requirement set out in Article 38(5) GDPR, by stipulating that the DPO must maintain the secrecy of any information that becomes known to him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.

Organisations must register their DPO with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The registration form is available here.

A special email address and phone number is available for registered DPOs to contact the Dutch Data Protection Authority in case of questions with regard to the tasks of DPOs and GDPR compliance.

The contact details are as follows:

Email address: [email protected]

Phone number: (+31) (0)70-8888660

Last modified 18 January 2024

The Act requires each agency to appoint one or more individuals to be a privacy officer. The privacy officer may be within or external to the agency (i.e. the privacy officer role may be outsourced to a third party) and does not need to be a New Zealand citizen or reside in New Zealand.

The privacy officer's responsibilities include the following:

The encouragement of compliance with the personal IPP contained in the Act;
Dealing with requests made to the agency pursuant to the Act;
Working with the Privacy Commissioner in relation to investigations relating to the agency; and
Ensuring compliance with the provisions of the Act.

Last modified 24 January 2025

Any officer responsible for the Data File of each organisation must register in the Data Files Registry that the Personal Data Protection Directorate enables for this purpose.

We must reiterate that this obligation cannot be materially fulfil as the Personal Data Protection Directorate has not been formally incorporated.

Last modified 28 January 2024

There is no provision in the law relating to the appointment of a data protection officer.

However, Article 79 of the Law n°2022-59 of December 16, 2022 relating to the protection of personal data pertains to the designation of the personal data protection correspondent, which is defined in Article 1 as the person designated by the company carrying out the processing of personal data, to whom data subjects or interested persons may address any queries.

Article 79 of the aforementioned Law continues to state that the correspondent must possess the required qualifications to carry out their duties and be able to make a list of processing activities immediately accessible for any person requesting the same. The correspondent is exempt from any sanction on the part of the employer resulting from the carrying out of their duties.

Furthermore, the data controller's designation of a correspondent must be notified to the HAPDP and, in the event of failures to carry out their duties, may be discharged by request, or after consultation, from the HAPDP.

Last modified 6 January 2025

The Nigerian Data Protection Act 2023 requires Data Controllers of Major Importance to designate a Data Protection Officer (DPO) who will be responsible for ensuring internal compliance with the Act, other applicable data protection directives, and serving as a point of contact between the Data Controller and the regulatory body (Nigeria Data Protection Commission). The Data Protection Officer may be an employee of a Data Controller or engaged by a service contract.

Last modified 18 January 2025

Under the DP Law, data controllers and data processors are obliged to appoint a DPO in certain cases, i.e. when:

processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
core activities of the data controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
core activities of the data controller/processor consist of processing on a large scale of special categories of personal data and personal data relating to criminal convictions and offences.

Data protection officers must:

inform and advise the data controller or data processor and employees who process data about their duties in accordance with the DP Law;
monitor compliance with the DP Law, with other national laws and with the policies of the controller/processor;
increase awareness of data protection practices;
provide advice on Data Protection Impact Assessment;
collaborate with the DPA;
act as a contact for the DPA regarding the adequate collection and processing of personal data and perform other prescribed tasks.

Last modified 17 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Norway regulation

The government may issue further regulations as regards the duty to appoint a DPO. No such regulations have been issued yet.

Last modified 16 January 2025

There is currently no law in force which makes mandatory the appointment of a Data Protection Officer. Alternatively, PECA 2016 provides for the establishment of an investigation agency under section 29, whose “authorized officers” are granted powers of investigation and cognizance, which may be similar to that of a data protection officer in some capacities. The investigation agency under this provision of PECA 2016 is the Federal Investigation Agency (FIA), authorized through rule 3 of the Prevention of Electronic Crimes Investigation Rules, 2018.

However, the PDPB, which is yet to be promulgated into law, recognizes the existence and role of a Data Protection Officer, which shall be determined by the Commission.

Last modified 4 January 2024

Appointment of a data protection officer is optional under the Data Protection Law for private companies, but required for governmental entities. According to Rule No. 1-2022, banks established in the Republic of Panama are also required to appoint a data protection officer.

Last modified 28 January 2024

Under current legislation, the appointment of Data Protection Officers is not required.

Last modified 28 January 2025

There is currently no requirement to appoint a data protection officer in the private sector (only in the public sector). However, when a company registers its personal database with the NDPA, it can report that it has a Security Manager of that database.

However, the New Regulation introduces the requirement to appoint a Personal Data Officer under certain circumstances. Although it is expected that the NDPA will issue guidelines for further guidance on interpretation and interpretation of this new requirement, according to the New Regulation, this obligation applies to Data Controllers and Data Processors:

Who are a public entities
Who Process large volumes of Personal Data, either in quantity or type of data,
Who undertake data Processing activities that involve the Processing of:
- Pesonal Data for a large number of data subjects
- Sensitive Personal Data as part of the entity's main activity or line of business
- Personal Data leading to evident prejudice to the data subject's fundamental rights or freedoms

The requirement for entities to come into compliance with this new requirement is subject to varying grace periods, spanning from November 30, 2025 to November 30 2028, and are determined by the entity's annual revenue, as follows:

Company Type / Size	Annual Revenue	Grace Period
Large	Over S/ 12’305,000 (approx. USD 3’326,000).	November 30, 2025
Medium	Over S/ 9’095.000 (approx. USD 2’500,000.00) and up to S/ 12’305,000 (approx. USD 3’326,000).	November 30, 2026
Small	Over S/ 802,500 (approx. USD 217,000.00) and up to S/ 9’095.000 (approx.USD 2’500,000).	November 30, 2027
Micro	Up to S/ 802,500.00 (approx. USD 217,000.00).	November 30, 2028

The Personal Data Officer must be appointed based on professional qualities and knowledge and expertise in personal data protection (which must be duly accredited). The Personal Data Officer may be internal or external to the compnay. Internal Personal Data Officers may perform additoinal functions within the company, subject to certain limitations and conditions.

The key responsibilities of aPersonal Data Officer are to:

Inform and advise of the obligations established by the provisions regarding data protection
Verify and report on compliance with the applicable regulation, as well as on compliance with the policies of the data controller or data processor, including the assignment of responsibilities, awareness and training of personnel involved in processing operations, and audits to be carried out
Cooperate with the NDPA for the performance of its purposes and attributions, and
Act as a point of contact for the NDPA for issues related to the processing of personal data.

Last modified 26 January 2023

The PIC of an organization must appoint a person or persons who shall be accountable for the organization’s compliance with the Act, and the identity of such person or persons must be disclosed to the data subjects upon the latter’s request. The implementing rules and regulations of the Act likewise require any natural or juridical person or other body involved in the processing of personal data to designate an individual or individuals who shall function as DPO, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security. The Act does not specifically provide for the citizenship and residency of the DPO. The Act likewise does not specifically provide for penalties relating to the incorrect appointment of DPOs.

The NPC has published guidelines on the designation of the DPO.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority;
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale;
Its core activities consist of processing sensitive personal data on a large scale.

DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws;
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
To advise and monitor data protection impact assessments where requested;
To cooperate and act as point of contact with the supervisory authority.

Poland regulation

According to the new PDPA, the appointment of a Data Protection Officer (DPO) must be notified to the supervisory authority within 14 days. The notification should include the name and email address of the DPO or his or her phone number. Any changes to the information provided or the dismissal of a DPO should also be notified within 14 days. The entity who appointed the DPO shall make available the DPO's details on its website or in a generally accessible manner at a place of pursuit of activity (if it does not have its own website). According to official guidance from the Polish DPA, the contact details of the DPO should be easily accessible, not hidden somewhere in long documents such as a privacy policy etc.

The Implementing act includes the possibility to designate a person to replace the DPO during their absence (e.g. temporary absence). However, it would be necessary to inform the Polish DPA about the designation in the same way as about the designation of a DPO. All rules and requirements for DPOs, such as the ones stated in article 37 of the GDPR or the obligation to inform the Polish DPA are also applicable to this person.

If a person was officially appointed as an Information Security Officer (ABI) under the previous PDPA, this person automatically became a DPO for the data controller until September 1, 2018, and provided that the appointment was notified to the President of the Office before that date, the person continues to serve as a DPO after that date.

If the data controller is obliged to appoint a DPO in accordance with Article 37 of the GDPR but did not appoint one under the previous PDPA, the appointment of the DPO should have taken place and been notified to the President of the Office before July 31, 2018.

Last modified 16 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Portugal regulation

In accordance with Law no 58/2019 of 8 August, the appointment of a Data Protection Officer (DPO) shall follow the requirements provided in article 37 (5) of GDPR. No professional certification is required and the DPO is bound by professional secrecy. In addition to the functions described in GDPR, DPO’s shall ensure the conduction of audits, inform the users of the importance of data breaches detection and ensure the relation with the data subjects in relation to matters covered by GDPR and data protection national laws.

For the purposes of the mandatory notification of the data protection officer to the supervisory authority, in the context of Article 37 (7) of the GDPR, the supervisory authority established the applicable procedure for notification. A specific form made available by the supervisory authority on its website should be completed and submitted online (the form is available here).

Last modified 17 January 2024

There is currently no obligation for organizations in Qatar to appoint a data protection officer. There is an obligation on the data controller to specify processors responsible for protecting personal data, train them appropriately on the protection of personal data and raise their awareness in relation to protecting personal data.

Last modified 17 January 2024

There is no requirement under the DPL or the DPR for organizations to appoint a data protection officer. Though note the general obligation of a data controller to implement appropriate technical and organizational measures to protect personal data, as further detailed below (see Security). It is however recommended that organizations that operates on a large scale or carries out regular and systematic monitoring of individuals appoint an individual responsible for overseeing the data controller’s compliance with data protection requirements.

Last modified 17 January 2024

A data protection officer (délégué à la protection des données) needs to be appointed when the data procession is done by:

a public entity;
the nature of the data processing because of its nature, purpose or nature require a regular and systematic follow-up; or
when the data processing is on a large scale for particular data.

Last modified 23 February 2024

EU regulation

Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities, provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have expert knowledge of data protection law and practices, though it is possible to outsource the DPO role to a service provider.

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data," and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks.

The specific tasks of the DPO, set out in GDPR, include:

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Romania regulation

In addition to the requirements provided by the GDPR in Articles 37 to 39, Law no. 190/2018 provides that a data protection officer (DPO) must be designated whenever the entity acting as controller is processing a national identification number, including by collecting or disclosing any documents enclosing such national identification number, when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, in accordance with the provisions of Article 6 paragraph 1 letter (f) of the GDPR.

Last modified 17 January 2024

If the data controller is a legal entity, it is required to appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer oversees compliance by the data controller and its employees regarding the data protection issues, informs them of statutory requirements and organises the receiving and processing of communications from data subjects.

There are no legal restrictions as to whether the data protection officer should be a citizen or resident of the Russian Federation, however, it is adviseable that the data protection officer is available in case there is an inspection or other communication from the authorities.

Non-appointment or improper appointment of the data protection officer is a violation of the data protection regime and may result in the imposition of penalties and enforcement protocols, as described below.

Last modified 17 January 2024

The Data Protection Law requires that the DC and DP designate a data protection officer in the following cases (article 40):

the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
the core activities of the DC or the DP consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
the core activities of the DC or the DP consist of processing on a large scale of sensitive personal data and personal data of convicts in accordance with the Data Protection Law’s requirements for the process of such data.

Last modified 17 January 2024

The PDPL clarifies when a data controller must appoint a data protection officer. This includes where the data controller is a public entity that provides services involving the processing of personal data on a large scale, where the primary activities of the data controller consist of processing operations that require regular and continuous monitoring of individual also on a large scale, and where the core activities of the data controller consist of processing sensitive data.

Last modified 23 February 2024

The law designates a Personal Data Protection Commission (the CDP), whose role it is to ensure that any processing of personal data is in accordance with the law. The commission is also responsible for informing data controllers and data subjects of their rights and obligations, handling complaints, conducting audits, and sanctioning data controllers who are in breach of the law.

Last modified 23 February 2024

According to the DP Law, controllers and processors are required to designate a data protection officer (“DPO”), whose primary task is to ensure compliance with the data processing law and regulations and to communicate with the DPA and the data subjects on all data protection matters. Similar to the GDPR, this obligation applies if the following criteria are met:

The processing is carried out by a public authority (with the exception of a court performing its judiciary authorizations).
The core activities of the controller / processor require the regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of special categories of personal data — eg, health data or trade union memberships, or criminal convictions / offences data.

The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group of companies may appoint a single DPO, provided that he is equally accessible to each company.

Controllers and processors are required to ensure the DPO’s independence in the performance of his tasks. This means the following:

No instructions may be given to the DPO.
The DPO must report directly to the manager of the controller / processor.
The DPO may not be dismissed or penalized for performing his or her tasks.

Last modified 17 January 2024

The Act does not contain any legal requirement to appoint a data protection officer.

Last modified 17 January 2024

It is mandatory for each organization to appoint one or more DPOs to be responsible for ensuring the organization’s compliance with the Act. An organization may appoint one person or a team of persons to be its DPO. Once appointed, the DPO may in turn delegate certain responsibilities, including to non-employees of the organization. The business contact information of the DPO must be made available to the public.

While there is no requirement for the DPO to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable from Singapore, available during Singapore business hours and, where telephone numbers are provided, these should be Singapore telephone numbers.

Failure to appoint a DPO may lead to a preliminary investigation by the Commission. If an organization or an individual fails to cooperate with the investigation, this will constitute an offence. As a result, an individual may be subject to a fine of up to SGD 10,000 or imprisonment for a term not exceeding 12 months, or to both. An organization may be subject to a fine of up to SGD 100,000.

Last modified 23 January 2025

National Ordinance Personal Data Protection

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Slovak Republic regulation

There is an online form on the website of the Slovak Office which should be completed in order to notify the supervisory authority of the appointment of a DPO.

Last modified 17 January 2024

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority;
Its core activities consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systemic monitoring of data subjects on a large scale; or
Its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2) GDPR), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have "expert knowledge" (Article 37(5) GDPR) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6) GDPR).

It should be noted that ZVOP-2 provides for two other requirements for appointment of DPOs, namely: (a) legal capacity and (b) that the person has not been sentenced to a minimum term of imprisonment of six months or has not been the subject of a final conviction for a criminal offence relating to the misuse of personal data. Additional conditions also vary depending on whether the DPO works in a public authority, public sector (other than public authority) or in the private sector.

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1) GDPR), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3) GDPR).

The specific tasks of the DPO, set out in GDPR, include (Article 39 GDPR):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

In accordance with Article 48 ZVOP-2, DPO performs tasks listed in Article 39 GDPR, and specifically, provides advice on risk assessments regarding the security of personal data related to all processing of personal data in databases which is carried out by the controller or processor to whom they are assigned.

Last modified 17 January 2024

Data protection officers (referred to in POPIA as "information officers") must be registered with the Information Regulator. The duties and responsibilities of a responsible party's information officer are set forth in POPIA and include encouraging and ensuring compliance with POPIA; dealing with any requests made to that responsible party in terms of POPIA; and working with the Information Regulator in respect of investigations by the Information Regulator in relation to that responsible party. The Regulations to POPIA, among other things, further provide that the information officer must ensure that a compliance framework is developed, implemented, monitored and maintained, and that a personal information impact assessment is conducted to ensure that adequate measures and standards for the protection of personal information exist.

Last modified 17 January 2024

Under PIPA, every personal data controller (which means any person, any government entity, company, individual or other person that, directly or through a third party, controls and / or processes personal information in order to operate personal information files as part of its activities) must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company.

In addition, personal data controllers that meet certain criteria are required to designate a CPO with (i) at least three years of experience in personal information protection, and (ii) a combined career of at least six years in personal information protection, data protection, and information technology. More specifically, the obligation to designate a CPO with the foregoing qualifications is applicable to an entity whose annual sales revenue or income amounts to at least KRW 150 billion, and (i) processes sensitive information or unique identification information of at least 50,000 data subjects, or processes personal information of at least 1 million data subjects; (ii) is a school under the Higher Education Act with at least 10,000 enrolled students as of December 31 of the immediately preceding year; (iii) is a tertiary hospital under the Medical Service Act; or (iv) is a public institution operating a personal information processing system which meets the standards set by the PIPC.

There are no nationality or residency requirements for the CPO. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA.

The CPO’s obligations under the PIPA are as follows:

establishing and implementing plans for the protection of personal information;
performing periodic investigations and improving the status and practices of the processing of personal information;
handling complaints and dealing with damage pertaining to the processing of personal information;
establishing internal control systems for preventing leakage, misuse and abuse of personal information;
establishing and implementing training sessions for the protection of personal information;
protecting, managing, and monitoring personal information files;
establishing, amending, and implementing a personal information processing policy;
managing materials concerning the protection of personal information; and
destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.

The amended PIPA lays the grounds for the CPO to independently perform his / her duties. Under the Proposed Enforcement Decree, a personal data controller must (i) guarantee the CPO’s access to all information in relation to the processing of personal information, (ii) establish a system for the CPO’s direct reporting to the representative and the board of directors at least once a year, (iii) provide the CPO with human and material resources by creating an organizational structure suitable for the performance of duties, and (iv) prohibit a situation where the CPO is placed at a disadvantage by reason of non-compliance with unreasonable instructions.

Last modified 20 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely.

Spain regulation

The NLOPD includes a lengthy list of organisations and companies that are required to appoint a DPO. Accordingly, insurance or reinsurance companies, financial credit institutions, educational institutions, electric and natural gas distributors, and advertising and marketing companies, among others, are required to appoint a DPO. The NLOPD also allows organisations and companies to voluntarily appoint a DPO. Please note that, in either case, the appointment of the DPO must also be communicated to the AEPD using the AEPD online facilities.

Last modified 22 January 2024

The PDPA requires controllers and processors which are not public authorities to appoint a Data Protection Officer (“DPO”) where their core activities consist of:

processing operations that require regular and systematic monitoring of data subjects on a prescribed scale or magnitude;
processing special categories of personal data on a prescribed scale or magnitude; or
processing which results in a risk of harm to the rights of the data subjects protected under the PDPA.

The PDPA permits a group of entities to appoint a single DPO provided, however, such DPO is easily accessible by all of the group entities.

Such DPO is required to be a competent individual possessing academic and professional qualifications in matters relating to data protection.

The specific responsibilities of the DPO as per the PDPA includes:

advising controllers or processers on data processing requirements;
ensuring on behalf of the controller or processor that the requirements of the PDPA are met;
enabling capacity building of staff engaging in data processing operations;
advice on personal data protection impact assessments; and
co-operation and compliance with all directives and instructions issued by the Authority.

Last modified 3 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must report directly to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Sweden regulation

There are no derogations in Swedish national law, except that under the Data Protection Act, a DPO performing tasks under to Article 37 GDPR shall not unauthorisedly disclose what has come to their knowledge in the performance of their tasks. The Swedish Public Access to Information and Secrecy Act (2009:400) applies in relation to the confidentiality obligation of a DPO within the public sector.

Last modified 22 January 2024

There is no requirement to appoint a data protection officer (DPO).

However, controllers have the option to appoint a DPO as a contact point for the data subjects and the competent data protection authorities. A DPO's main tasks would be to train and advise private controllers in data protection matters and to participate in the implementation of data protection regulations.

The controller may also designate an “independent” DPO who meets certain additional qualifications. In such a case, the controller has to ensure that the DPO has all necessary resources (including access to the data processing activities and personal data) to fulfil its tasks and has the right to inform the management or governing body regarding important data protection matters. Additionally, the DPO must exercise its function in a professionally independent manner and without being bound by instructions from the controller and shall not perform any activities which are incompatible with its tasks as DPO. The DPO shall also possess the required expertise. Finally, the contact details of the DPO must be published and notified to the FDPIC.

In case an “independent” DPO is appointed, the controller has no obligation to consult with the FDPIC in the event that a data protection impact assessment indicates a high risk to the personality or the fundamental rights of the data subject despite the planned measures by the controller (see here). This is the only relief granted in case of appointing an “independent” DPO.

Last modified 22 August 2023

The PDPA does not impose a general requirement to have a data protection officer. However, there are industry specific regulations in certain industries (such financial institutions or airlines) requiring personnel to handle personal data protection matters.

Last modified 18 December 2023

Tajik law does not require to appoint any Data Protection Officer or any similar positions.

Last modified 27 January 2025

Data controllers or processors must appoint a data protection officer whose role is to ensure that the control and security measures are in place to protect personal data that is collected or processed.¹ The data protection officer must, among other things, also ensure compliance of the PDPA and its regulations in the processing of the personal data by the data controller or processor, handle applications or complaints made by data subjects, their representatives or any other person to the data controller or processor in relation to the collection or processing of personal data and prepare and submit quarterly compliance reports to the Commission.²

Footnotes

1: Section 27(3) of the DPA

2: Regulation 32 of the PDPA Regulations

Last modified 25 January 2024

Data Controllers and Data Processors are only required to appoint a data protection officer (DPO) if it qualifies as any of the following:

Is a public authority as prescribed and announced by the Regulator;
Requires regular monitoring of Personal Data or system due to the collection, use or disclosure of large amount of Personal Data as prescribed by the Regulator; or
The core activity of the Data Controller or the Data Processor involves the collection, use, or disclosure of Sensitive Personal Data.

The relevant subordinate regulation was issued on 14 September 2023. It sets out criteria of the core activities of Data Controllers and Data Processors that require ‘regular monitoring’ and indicates factors to be considered in determining a ‘large amount’ of Personal Data. For example, if the core activities consist of tracking, monitoring, analysing, or profiling of personal behaviour or characteristics, and generally involve the processing of Personal Data in a systematic manner and on a regular basis, such core activities require ‘regular monitoring’. If the processing of Personal Data is of 100,000 data subjects or more, or for behavioural advertising purpose via search engine or social media, or by insurance company, financial institution, or licensed telecommunications operator, such processing is considered the processing of ‘large amount’ of Personal Data.

Last modified 6 January 2025

None.

Last modified 15 February 2022

There is no such requirement under the DPA.

Last modified 26 January 2023

Under Tunisian law (Law n° 2004-63 dated July 27, 2004), there is no reference to Data Protection Officers.

Nevertheless, with regard to health data protection, Decision No. 4 of September 5, 2018 organizing personal health data, healthcare establishments must appoint a DPO.

For other types of sensitive personal data, it is preferable that each entity that processes personal data provides data subjects with an address of its DPO through which they can exercise their right of access to data and their right of opposition to their data processing.

Last modified 27 January 2025

There is not yet a requirement in Turkey to appoint a data protection officer in the sense of GDPR. However, there is a requirement to appoint a local Representative for foreign controllers.

Last modified 27 January 2025

No appointment of a data protection officer is required under the Data Protection Law.

Last modified 23 December 2022

Controllers and Processors must appoint a DPO where:

the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
the core activities of the Controller or the Processor consist of Processing on a large scale of special categories of Personal Data.

Last modified 9 January 2024

Data Protection Officers (“DPOs”) are mandatory for:

DIFC Bodies (as defined under the DPL, other than courts acting in their judicial capacity); and
a Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

A Controller or Processor could also be required to appoint a DPO by the Commissioner.

A Group (defined under DPL) may appoint a single DPO provided that he is easily accessible to each entity in the Group. The DPO must reside in the UAE unless he is an individual employed within the organisation's Group and performs a similar function for the Group on an international basis.

In addition, if a Controller or Processor is not required to appoint a DPO, it must still clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations and provide details to the Commissioner (i.e. the person appointed, pursuant to the DPL, to monitor, ensure and enforce compliance with the DPL).

(Article 16 DPL)

Last modified 27 January 2025

There is a requirement for each Licensee, to have one or more Data Protection Officers (DPO). The responsibilities of the Data Protection Officers include:

the encouragement of compliance by the Licensee with the HDPR;
dealing with requests made to the Licensee under the HDPR; and
otherwise ensuring compliance by the Licensee with the provisions of the HDPR (section 40 HDPR).

Last modified 27 January 2025

Processors and Controllers who are:

conducting data processing which would cause a high risk to the confidentiality and privacy of the Data Subject’s personal data as a consequence of adopting new or data size-based technologies;
conducting data processing will involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing; or
processing large volumes of sensitive personal data will be processed,

will need to appoint a DPO.

The DPO can be a staff member or someone working on a service contract and does not necessarily need to be located in the UAE.

Last modified 27 January 2025

Every entity whose activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or whose activities consist of processing special personal data, is required to designate a personal data protection officer charged with ensuring compliance with the data protection law. There is no criteria for appointment of the data protection officers provided by the Act or Regulations.

Under Regulation 47 of the Data Protection and Privacy Regulations, the Personal Data Protection Office is required to specify the persons, institutions, and public bodies required to designate a data protection officer. This publication is yet to be released by the Office.

Last modified 27 January 2025

Data owners and processors processing personal data that is of particular risk to the rights and freedoms of personal data subjects, must establish a special department or appoint a responsible person (data protection officer) to be responsible for the personal data processing matters. Other owners and processors may either establish a department or appoint a responsible person on a voluntary basis.

There are no requirements for the data protection officer to be a citizen or a resident in Ukraine. However, if he or she is a foreign citizen under the general rule, a work permit must be obtained for him or her to hold such a position. There are no particular penalties for the incorrect appointment of Data Protection Officer.

Last modified 27 January 2025

Under the UK GDPR, each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in the UK GDPR, include (Article 39):

to inform and advise on compliance with the UK GDPR and other UK data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 6 February 2025

With the exception of entities regulated by HIPAA, there is no general requirement to appoint a formal data security officer or data privacy officer.

Massachusetts and some other state laws and federal regulations, including the recently updated FTC Safeguards Rule (applicable to non-banking financial institutions), require organizations to appoint one or more employees to maintain their information security program.

Last modified 6 February 2025

The appointment of a Data Protection Officers (DPO) is mandatory in the following cases: (i) public state or non-state entities, (ii) private or partially state-owned entities, (iii) private entities which process sensitive data as a core activity, and (iv) private entities which process large scales of data.

Decree 64/2020 clarifies that large scales of data means the data processing of more than 35,000 subjects.

The DPO must meet the conditions required for the correct performance of his/her duties. He/she must act autonomously in technical matters.

The appointment of a DPO must be submitted before the URCDP for its approval. If the legal and technical requirements are not met, the Regulator is entitled to deny or revoke (as the case may be) the filing/authorisation to the appointed DPO.

Last modified 28 January 2024

According to the Law on Personal Data, government bodies, legal entities and individuals processing personal data (i.e. operators of personal data) or having the right to use and dispose personal data (i.e. owners of personal data) must designate a structural unit or a responsible person that has to organize work with respect to personal data protection in the course of its processing in accordance with the Model Rules on Processing of Personal Data, registered with the Ministry of Justice under No. 3477 on November 15, 2023.

Last modified 27 January 2025

There is no legal requirement to appoint a Data Protection Officer.

Last modified 12 December 2022

When sensitive personal data is collected and processed, information on the Data Protection Department (“DPD”) and Data Protection Officer (“DPO”) must be notified to the authority. In practice, the notification will be made by providing the information in the DPIA and the TIA dossiers submitted to the authority.

The PDPD does not set out any specific qualifications of the person eligible to be appointed as a DPO.

The appointment of a DPD / DPO must be made in the form of a written decision made by the company (i.e. a board resolution or a letter of appointment signed by the company's legal representative and affixed with the stamp of the company) and a copy of this written decision is required to be submitted alongside the DPIA / TIA dossiers.

Last modified 20 January 2025

Data controllers and data processors are required to appoint a data protection officer in line with the guidelines issued by the Data Protection Commissioner.

Last modified 27 January 2025

Data Protection Officers Data controllers are required to appoint a data protection officer ("DPO") and notify the Authority in writing using Form DP2. The Authority must also be notified of any changes to the DPO's contact information, dismissal, or resignation. DPOs must have the following qualifications:

Skill, qualifications, or experience in data science, data analytics, information security systems, information systems audit, law, audit, or any other relevant qualification;
Knowledge of national data protection laws and practices;
Understanding of the data controller’s business operations and processing activities;
Certification through a course approved by the Authority DPOs have the following duties:
- Monitoring compliance with the Act, the Regulations, and organizational data protection policies;
- Managing internal data protection activities;
- Raising awareness of data protection;
- Training staff on data protection;
- Conducting internal data protection compliance audits;
- Dealing with requests from the Authority and data subjects;
- Advising employees on their data protection obligations;
- Advising on and monitoring data protection impact assessments;
- Working with the Authority; and
- Acting as the contact point for data subjects.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Data protection officers

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

Duties and position of the DPO (Article 34)

National Ordinance Person Registration

GDPR

EU regulation

Austria regulation

EU regulation

Belgium regulation

Footnotes

Personal Data Protection Act BES

GDPR

EU regulation

Bulgaria regulation

Obligation to designate a CPDCP

Qualifications required for the CPDCP

Duties of the CPDCP

Other important elements

EU regulation

Croatia regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Denmark regulation

EU regulation

Estonia regulation

EU regulation

Finland regulation

EU regulation

France regulation

EU regulation

Germany regulation

EU regulation

Greece regulation

EU regulation

Iceland regulation

EU regulation

Ireland regulation

Section 24 of the Act

EU regulation

Latvia regulation

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation

Role of DPO

EU regulation

Netherlands regulation

EU regulation

Norway regulation

EU regulation

Poland regulation

EU regulation

Portugal regulation

EU regulation

Romania regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Slovak Republic regulation

EU regulation

Spain regulation

EU regulation

Sweden regulation

Footnotes

Continue reading