| Country |
Last reviewed |
Designation of a Data Protection Officer |
|---|---|---|
| Belgium | 28.07.2017 | n/a |
| Czech Republic | 29.06.2017 | n/a |
| Denmark | 29.06.2017 | n/a |
| Finland | 02.08.2017 | The Working Group has proposed an obligation of secrecy for DPOs to be included in the new Data Protection Act. |
| France | 29.06.2017 | n/a |
| Germany | 07.08.2017 | Yes - § 38: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls. This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the current framework. |
| Ireland | 12.09.2017 | The General Scheme envisages that the Minister for Justice and Equality will have the power to specify categories of controller for whom the appointment of a Data Protection Officer will be mandatory. |
| Italy | 28.06.2017 | DPA refers to the WP29 guidelines. |
| Netherlands | 28.06.2017 | n/a |
| Poland | 01.08.2017 | n/a |
| Spain | 27.07.2017 | Draft Bill requires a DPO to be appointed at Professional Associations; schools and universities; public network operators; information society service providers; ordenation, supervision and solvency of credit entities; credit insitution; insurance and reisurance companies; entities managing common debtors databases; advertising or marketing entities (where profiling is undertaken); healthcare centres; companies creating commercial reports on persons or organisations; gambling operators; and private security companies. |
| Sweden | 17.07.2017 | n/a |
| UK | 07.08.2017 | n/a |