Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

Data Protection & Cyber Security

Russia Small Flag Russia

It is mandatory to appoint a data protection officer (“DPO”) under Personal Data Law. The DPO shall undertake the following duties:

  • Conduct internal control over the compliance of the data controller and its employees with the applicable legislation.
  • Ensure the awareness of the data controller’s employees of the requirements of the applicable legislation and the requirements of the data controller’s policies.
  • Arrange the receipt and consideration of requests submitted by data subjects.

The DPO shall be accountable to the executive body of a data controller.

Apart from the above-mentioned key functions, Russian law does not provide for any further guidance on specific tasks and powers of the DPO. These issues are subject to the internal (corporate) rules of the data controller.

Argentina Small Flag Argentina

The Data Protection Law does not require the appointment of a data protection officer.

If approved, the Data Protection Bill (see question 1) would introduce this requirement in certain cases. The Data Protection Bill includes an obligation to appoint a data protection officer in the case of public agencies, processing of sensitive data as a principal activity, or “big data”. The data protection officer would only answer to the highest ranking members of the public agency or company, and will carry out his duties without receiving any instructions

Brazil Small Flag Brazil

According to the LGPD, the controller shall nominate/elect/recommend a data protection officer to be responsible for the processing of personal data. The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller's website.

The activities of the data protection officer consist of:

  • Accept complaints and communications from data subjects, provide clarifications and adopt measures;
  • Receive communications from the national authority and adopt measures;
  • Guide employees and contractors regarding the practices to be taken in relation to the protection of personal data;
  • Perform other duties determined by the controller or established in complementary rules.

In addition, the national authority may establish complementary rules about the definition and attributions of the data protection officer, including cases of waiving the need of a data protection officer, according to the nature and size of the entity or the volume of data processing operations.

Bulgaria Small Flag Bulgaria

GDPR rules and requirements with respect to the appointment of a data protection office fully apply.

When the appointment of a data protection officer is required or when the company has, without having the obligation, decided to appoint a data protection officer, the appointment shall be notified to the Bulgarian Commission for Personal Data Protection. The notification includes names, national personal identification number/ personal identification number of a foreigner, and contact details.

The data protection officer’s legal responsibilities are entirely covered by GDPR provisions (Article 37 GDPR and following) and Bulgarian legislation does not go beyond these provisions.

Switzerland Small Flag Switzerland

The appointment of an official data protection officer is optional. Often a data protection officer is appointed in order to avoid the notification of data files (see art. 11a para. 5 lit. e FADP).

If appointed, the responsibilities are set out in art. 12b of the Ordinance to the FADP. The data protection officer has the following duties:

  • he audits the processing of personal data and recommends corrective measures if he ascertains that the data protection regulations have been infringed.
  • he maintains a list of the data files in accordance with art. 11a para. 3 FADP, which are operated by the controller of the data files; this list must be made available to the FDPIC or on request to data subjects.

Art. 12b Ordinance to the FADP further requires that the data protection officer

  • acts independently and without instructions from the controller of the data file;
  • has the necessary resources; and
  • has access to all data files and receives all necessary information.

Spain Small Flag Spain

According to the Spanish law, data controllers and data processors shall appoint a data protection officer in the cases provided for in Article 37.1 of Regulation (EU) 2016/679 and, in any case, in the case of the entities of the article 34 LOPD.

Chile Small Flag Chile

There is no Data Protection Officer in Chile yet. Not applicable.

Germany Small Flag Germany

All public authorities that process personally identifiable information must appoint a data protection officer (DPO) (Art. 37 (1) GDPR, § 5 FDPA). Organizations that are not public on the other hand are only required to appoint a DPO under specific conditions Artt. 37 in conjunction with 9, 10 GDPR). The controller and the processor shall designate a data protection officer in any case where

  • the core activities of the organization consist of processing operations which, by virtue of their nature, their purposes require regular and systematic monitoring of data subjects on a large scale,
  • the core activities of the organization consist of processing on a large scale of special categories of data,
  • the core task is defined as the most important work process and the organization’s principal activity

These provisions are further extended by § 38 FDPA. According to the FDPA a non-public organization is required to implement a DPO if

  • they normally keep at least ten persons permanently engaged in the automated processing of personal data,
  • they carry out processing operations subject to a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679,
  • or if they process personal data commercially for the purpose of transmission, anonymous transmission or for purposes of market or opinion research.

The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.

The GDPR states several legal responsibilities the data protection officer must bear.

These include for example:

  • informing and advising the controller or the processor and employees about their data privacy management obligations,
  • monitoring compliance, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations,
  • providing advice where requested,
  • cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing.

China Small Flag China

The CSL requires network operators to appoint personnel responsible for cybersecurity.30 Organizational measures in the PI Specification also advise a personal information controller to appoint a head in charge of personal information protection and an agency in charge of personal information protection.31 If an organization has more than 200 personnel and its main business involves processing personal information, or if the organization is expected to handle the personal information of more than 500,000 people within 12 months, it should establish a department with designated staff in charge of personal information security.32 Distinguished from the DPO under the GDPR, the person in charge of personal information protection is less independent as he or she would be directly responsible for personal information security.33

30 - CSL. § 21.1.

31 - PI Specification. 10.1 b).

32 - PI Specification. 10.1 c).

33 - PI Specification. 10.1 d) 1).

Indonesia Small Flag Indonesia

Under the current prevailing regulations, there is no requirement to appoint a data protection officer or other designated person in respect of data protection. Under MCI Regulation 20/2016, ESO is only required to provide accessible contact person to the Data Subject in relation with processing of his/her Personal Data.

India Small Flag India

Privacy Rules

The Privacy Rules mandate appointment of a grievance officer by the body corporate. The role of such grievance officer is limited to addressing discrepancies and grievances of Data Subjects relating to processing of their information by the body corporate.38

Under existing laws, there is no provision for appointment of a data protection officer, common in other jurisdictions.

Privacy Bill

The Privacy Bill, however, does contemplate appointment of a data protection officer ("DPO") by "significant data fiduciaries".39 The Bill states that the DPOs need to meet the specific eligibility & qualification criteria (as may be prescribed) and sets out the following responsibilities: -

(a) monitoring processing activities of data fiduciaries to ensure compliance with the Bill;

(b) co-operating with the Authority on compliance with the Bill; and

(c) maintaining an inventory of all records related to processing activities of the data fiduciaries, as prescribed under the Privacy Bill.

38 - The grievance officer is required to redress grievances expeditiously, no later than one month from the date of grievance.
39 - Please see our response to Query 2 for more details in relation to significant data fiduciaries.

Portugal Small Flag Portugal

As prescribed in article 37 of the GDPR, the controller and the processor are required to appoint a data protection officer (DPO) in any case where:

a) The processing is carried out by a public authority or body, except for courts acting in their judicial capacity

b) The core activities of the controller or the processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c) The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

A group of undertakings may appoint a single data protection officer provided that a DPO is easily accessible from each establishment.

The DPO may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract, as long as he/she is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks legally established.

The controller or the processor shall publish the contact details of the DPO and communicate them to the CNPD through an on-line notification form at https://www.cnpd.pt/DPO/?AspxAutoDetectCookieSupport=1. The CNPD also published FAQs regarding DPOs at https://www.cnpd.pt/bin/faqs/faqs.htm.

In case the controller or the processor are not required to appoint a DPO it is highly recommended to have other person to be in charge of data protection at the organization.

The DPO shall have at least the following tasks, as outlined in article 39 of the GDPR:

a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations;

b) to monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities,
awareness-raising and training of staff involved in processing operations, and the related audits; (iii) to provide advice where requested as regards the data protection impact assessment and monitor its performance;

c) to cooperate with the supervisory authority;

d) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, with regard to any other matter.

Finally, Article 29 Working Party Guidelines on DPO (WP243rev.01) provides guidance on the designation, positions and tasks of the DPO that controllers and processors, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.

United Kingdom Small Flag United Kingdom

A person must appoint a data protection officer (DPO) if:

  • it is a public authority or body (except for courts acting in their judicial capacity);
  • its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. A group of undertakings can select a single DPO providing that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct statutory liability under the DPA 2018.

If a decision is made to voluntarily appoint a DPO the business should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

The DPO’s tasks are:

  • to inform and advise on data protection laws;
  • to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the Information Commissioner's Office and other supervisory authorities; and
  • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Sweden Small Flag Sweden

Yes, according to article 37 of the GDPR, the controller and the processor shall designate a so-called data protection officer in any case where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

There are no additional cases where a data protection officer must be designated in the Data Protection Act or the Data Protection Ordinance.

The data protection officer shall be involved in all issues which relate to the protection of personal data. The data protection officer shall at least have the following tasks:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
  • to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to article 35 of the GDPR;
  • to cooperate with the supervisory authority; and
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation described under question 9, and to consult, where appropriate, with regard to any other matter.

Greece Small Flag Greece

Although Directive 95/46/ EC (article 18) included a reference on the Data Protection Officer (hereinafter, “DPO”), Law 2472/1997 implementing the Directive did not include relevant provisions. However, in the Greek draft law following GDPR, appointment of a DPO is further clarified to some extent, in addition to the general criteria introduced by the GDPR. The provisions of the Greek draft law (article 14) invoke the national list of processing activities, involving regular and systematic data subjects monitoring on a large scale as issued by the HDPA in order to establish relevant obligation of a DPO’s appointment for entities conducting such processing.

However, as to date the HDPA has not specified large scale in terms of respective numerical thresholds. The formality of a DPO’s appointment before the HDPA is satisfied by an electronic submission of a specific form provided by the HDPA to this respect.

Moreover, the HDPA under the light of the GDPR has repeated that the role of a DPO is advisory and not determining and that the DPO does not have personal liability for non-compliance with the requirements of the GDPR. Appointment is concluded in writing, whereas the relevant tasks and role should be framed in accordance with the GDPR’s relevant provisions. Amongst the DPO’s tasks the HDPA has identified raising awareness and data protection culture within the entity concerned, informing and consulting the entity as per its obligations arising from the legal framework. The DPO should also monitor internal compliance, undertake personnel’s training, conduct internal audits, advise on DPIAs and follow up their implementation. Furthermore, the DPO should serve as the contact person for both supervisory authorities and data subjects and should further cooperate with the supervisory authority.

Turkey Small Flag Turkey

There is no requirement to appoint a data protection officer under the Law No. 6698. However, two categories of responsible individuals are introduced thereunder: “representative of the data controller” and “contact person”.

Foreign entities, which are considered as data controllers are under the obligation to register to the Registry by way of their representative, either a natural person who is a Turkish citizen or a legal person established in Turkey; whereas the obligation to appoint a contact person shall be complied with by foreign entities by way of their representative and also by national entities, with regards to conveying communication between data controllers and the Board.

Austria Small Flag Austria

In Austria, there is no general obligation to appoint a data protection officer. Such required is only necessary within the framework of art. 37 GDPR.

In many enterprises, however, compliance officers are appointed, whose responsibilities include data protection and the handling of confidential information. The legal status of such compliance officers is not regulated by law, but is determined by the respective contractual arrangement made.

France Small Flag France

A person must appoint a data protection officer ('DPO') if:

  • it is a public authority or body (except for courts acting in their judicial capacity);
  • its core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. A group of undertakings can select a single DPO providing that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct statutory liability under the French DPA 2018.

If a decision is made to voluntarily appoint a DPO, the business should be aware that the same requirements on the position and tasks of the DPO apply than if the appointment was mandatory.

The DPO’s tasks are:

  • to inform and advise on data protection laws;
  • to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the CNIL and other supervisory authorities; and
  • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.).

In the performance of their tasks, the DPOs are accompanied by the CNIL. The authority leads sectoral, business and/or geographic networks of DPOs, leads awareness workshops and promotes the certification of DPO skills.

It also provides a dedicated telephone hotline and e-mail address to answer to their questions.

United States Small Flag United States

U.S. privacy laws do not require appointment of a data protection officer. However, it is a common practice for the FTC and state attorneys general to require as part of the settlement of an enforcement action that a company hire a chief privacy officer who has C-level authority with direct reporting to the chief executive or the board of directors, and that it develop and maintain robust privacy and data protection policies and practices. HIPAA requires covered entities to designate a privacy officer and a security officer, and business associates to designate a security officer. HIPAA considers a covered entity to be any health plan, healthcare clearinghouse or healthcare provider in the U.S. that transmits health information in electronic form. HIPAA considers a business associate to be any person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. The privacy and security officer(s) can have other titles and duties in addition to these roles. The privacy officer is responsible for overseeing the organization’s development, implementation and maintenance of HIPAA-compliant privacy policies and procedures for all health information, not just that which is stored or transmitted electronically. The security officer implements policies and procedures to avoid, identify, contain and resolve potential security risks to electronic health information. Both are responsible for ensuring their staff are properly trained on the applicable HIPAA requirements.

Malaysia Small Flag Malaysia

Currently, Malaysian law does not require that data users appoint a data protection officer.

Gibraltar Small Flag Gibraltar

The GRA has established a public register of DPOs in accordance with DPA section 138.

An entity is required to appoint a DPO where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the data controller or the data processor consist of processing on a large scale of special categories of personal data or personal data relating to criminal convictions and offences;
  • it is a law enforcement entity and must appoint a DPO as required by the EU Law Enforcement Directive.

GDPR Article 39 states that the DPO shall have at least the following tasks:

  • to inform and advise the data controller or the data processor and the employees who carry out processing of their obligations pursuant to GDPR or the Member State’s data protection provisions;
  • to monitor compliance with the GDPR and other applicable data protection provisions, and with the policies of the relevant data controller or processor, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the DPIA and monitor its performance;
  • to cooperate with the GRA; and
  • to act as the contact point for the GRA on issues relating to processing, and to consult, where appropriate, with regard to any other matter. In Gibraltar this would be the GRA.

Ireland Small Flag Ireland

A person must appoint a data protection officer (DPO) if:

  • it is a public authority or body (except for courts acting in their judicial capacity);
  • its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. A group of undertakings can select a single DPO provided that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities.

If a decision is made to voluntarily appoint a DPO, the organisation should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

The DPO’s tasks (at a minimum) are:

  • to inform and advise on data protection laws;
  • to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the DPC and other supervisory authorities; and
  • to be the first point of contact for supervisory authorities and for data subjects whose data is processed.

Updated: June 17, 2019