Who
Data controllers and data processors
When
The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity,
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
What are DPO’s tasks
The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Member State data protection provisions,
- to monitor compliance with GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits,
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of GDPR,
- to cooperate with the supervisory authority,
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of GDPR, and to consult, where appropriate, with regard to any other matter.