Designation of a Data Protection Officer

Last reviewed
Designation of a Data Protection Officer

Belgium 28.07.2017 n/a
Czech Republic 29.06.2017 n/a
Denmark 29.06.2017 n/a
Finland 02.08.2017 The Working Group has proposed an obligation of secrecy for DPOs to be included in the new Data Protection Act.
France 29.06.2017 n/a
Germany 07.08.2017 Yes - § 38: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls.

This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the current framework.
Ireland  12.09.2017  The General Scheme envisages that the Minister for Justice and Equality will have the power to specify categories of controller for whom the appointment of a Data Protection Officer will be mandatory.
Italy 28.06.2017 DPA refers to the WP29 guidelines.
Netherlands 28.06.2017 n/a
Poland 01.08.2017 n/a
Spain 27.07.2017 Draft Bill requires a DPO to be appointed at Professional Associations; schools and universities; public network operators; information society service providers; ordenation, supervision and solvency of credit entities; credit insitution; insurance and reisurance companies; entities managing common debtors databases; advertising or marketing entities (where profiling is undertaken); healthcare centres; companies creating commercial reports on persons or organisations; gambling operators; and private security companies.
Sweden 17.07.2017 n/a
UK 07.08.2017 n/a