||Designation of a Data Protection Officer
|Austria||05.06.2018||The ADPA does not provide for specific preconditions to appoint a Data Protection Officer. Thus, the general provisions of the GDPR apply.
Sec 5 ADPA merely provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.
|Czech Republic||13.09.2018||Section 14 stipulates that obligation to appoint a Data Protection Officer under Article 37(1)(a) GDPR also applies to bodies established by law that fulfill tasks imposed by law in public interest.
|Denmark||06.09.2018||§ 24 binds DPOs to secrecy.
|Finland||13.11.2018||There are obligations to appoint a Data Protection Officer under the Act on Electronic Prescription and the current Act on the Electronic Processing of Customer Data in Social and Health Care Services. This obligation applies, inter alia, to pharmacies, health care service providers and the Social Insurance Institution of Finland.
An obligation of secrecy for DPOs is included in the Data Protection Act.
|Germany||23.05.2018||§ 38 FDPA: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls.
This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the previous framework.
|Hungary||01/04/2019||No specific provisions.
|Ireland||7.06.2018||Under section 24 of the Act, the Minister for Justice and Equality may enact secondary legislation which specifies categories of controller for whom the appointment of a Data Protection Officer will be mandatory.
|Netherlands||17.09.2018||No material derogations. DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure (Art. 39 UAVG).|
|Poland||07.09.2018||No special requirements. Only rules related to notification of the DPO to the PUODO.|
|Slovakia||13.09.2018||Essentially the same as under GDPR.
|Spain||05.03.2019||Article 34 of the SDPA states that a controller/processor shall appoint a DPO as provided by article 37(1) of the GDPR and includes a list of industries covered by article 37(1):
• official professional associations and their General Councils;
• educational centres offering regulated studies as provided by the Spanish Right to Education Act and public and private universities;
• entities operating electronic communications networks and offering electronic communication services, as stated by the General Telecommunications Law, processing personal data on a large scale;
• information society services providers carrying out data subject profiling activities on a large scale;
• banks, credit unions and the Official Credit Institute;
• private financial credit institutions;
• insurance and reinsurance companies;
• investment services companies subject to the stock market legislation;
• energy and natural gas distributors and marketers;
• entities in charge of creditworthiness data files and in charge of fraud prevention data files;
• entities carrying out advertising and commercial research activities based on the data subjects' preferences or carrying out data subjects' profiling activities;
• health facilities legally obliged to keep patients' medical histories (health professionals acting on their own as freelance are excluded);
• entities carrying out business/credit reports regarding individuals;
• entities offering gambling and gaming services by electronic, informatics, telematics or interactive means;
• private security companies; and
• sports federations when processing underage individuals' personal data.
|UK||23.05.2018||The Data Protection Act 2018 does not introduce derogations to the GDPR regarding the designation of a data protection officer.