Designation of a Data Protection Officer


Last reviewed
Designation of a Data Protection Officer

Austria 05.06.2018 The ADPA does not provide for specific preconditions to appoint a Data Protection Officer. Thus, the general provisions of the GDPR apply.

Sec 5 ADPA merely provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.
Belgium 08.10.2018 The BPA does not contain provisions on Data Protection Officers.
Czech Republic 13.09.2018 Section 14 stipulates that obligation to appoint a Data Protection Officer under Article 37(1)(a) GDPR also applies to bodies established by law that fulfill tasks imposed by law in public interest.
Denmark 06.09.2018 § 24 binds DPOs to secrecy.
Finland 17.05.2018 The current Personal Data Act does not include any additional obligations to designate a Data Protection Officer. However, there are obligations to appoint a Data Protection Officer under the Act on Electronic Prescription and under the Act on the Electronic Processing of Customer Data in Social and Health Care Services. This obligation applies, inter alia, to pharmacies, health care service providers and the Social Insurance Institution of Finland.
An obligation of secrecy for DPOs is included in the new Data Protection Act.
France 24.05.2018 The New Loi Informatique et Libertés does not contain any specific provision on the DPO.
Germany 23.05.2018 § 38 FDPA: A DPO must always be appointed when (1) more than 10 persons regularly take part in processing personal data; or, regardless of the number of persons involved in the processing per personal data, (2) whenever a DPIA has to be carried out; or (3) whenever personal data is processed to be transferred for commercial reasons, anonymised transfer or for purposes of market research and opinion polls.

This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. The German legislator has more or less kept the previous framework.
Hungary 17.05.2018 n/a
Ireland  7.06.2018  Under section 24 of the Act, the Minister for Justice and Equality may enact secondary legislation which specifies categories of controller for whom the appointment of a Data Protection Officer will be mandatory.
Italy 17.05.2018 The Italian DPA, referring to the relevant WP29 guidelines, has provided some guidance on the categories of data controllers that more likely fall under the obligation to appoint a DPO (e.g. financial institutions, insurance companies, financial information systems, credit collection companies, surveillance companies, etc).
Netherlands 17.09.2018 No material derogations. It is stressed that a DPO is obliged to maintain confidentiality with regard to all matters that have become known to him through a complaint or request from the data subjects concerned, unless the person concerned agrees to disclosure (Art. 39 UAVG).
Poland 07.09.2018 No special requirements. Only rules related to notification of the DPO to the PUODO.
Slovakia 13.09.2018  Essentially the same as under GDPR.
Spain 07.09.2018 Article 34 of the Spanish Data Protection Bill requires the appointment of a DPO in specific circumstances even if the GDPR does not require it. The companies that are required to appoint a DPO under the Bill are:
a) official associations of professionals and general councils of professionals;
b) educational centres offering regulated studies;
c) entities operating electronic communications networks and offering electronic communication services, as stated by the General Telecommunications Law, processing personal data on a large scale;
d) information society services providers carrying out data subjects' profiling activities on a large scale;
e) banks, credit unions and the Official Credit Institute;
f) private financial credit institutions;
g) insurance and reinsurance companies;
h) investment services companies;
i) energy and natural gas distributors and marketers;
j) entities in charge of creditworthiness data files and in charge of fraud prevention data files;
k) entities carrying out advertising and commercial research activities based on the data subjects' preferences or carrying out data subjects' profiling activities;
l) health facilities legally obliged to keep patients' medical histories;
m) entities carrying out business/credit reports regarding individuals;
n) entities offering gambling and gaming services by electronic, informatics, telematics or interactive means; and
o) private security companies and entities offering detective services.

The bill also regulates the DPO's intervention procedure in case of a complaint is brought before the supervisory authority.
Sweden 06.09.2018 n/a
UK 23.05.2018 The Data Protection Act 2018 does not introduce derogations to the GDPR regarding the designation of a data protection officer.