The Data Protection Officer (DPO) is a key element in General Data Protection Regulation (GDPR).
Which are the essential qualifications for a DPO?
The DPO shall have appropriate knowledge about law and data protection, though he/she doesn’t need to be a jurist. The delegate can be a natural or legal person, internal or external, and he/she will be responsible for advising, informing and monitoring compliance with GDPR.
Also, the DPO shall act independently (the controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks) and he/she shall directly report to the highest management level of the controller or the processor.
Do I need a DPO in my organization?
It is not necessary in every case to have a Data Protection Officer (but it’s recommendable). Although, it is mandatory in these cases:
- The processing is carried out by a public authority or government unit.
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (for example, video monitoring).
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.