- Section 47 of the Law makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances.
- The Law also contains provisions about the tasks a DPO should carry out and the duties of the employer in respect of the DPO.
- There are differences to the requirement for a DPO and to the duties of a DPO under the Law Enforcement Ordinance when compared to the Law. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult sections 39 to 42 of the Ordinance.
When does a Data Protection Officer need to be appointed under the Law?
Under the Law, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking) as part of your core activity; or
- carry out large scale processing of special category data as part of your core activity.
Core activity can be considered to be key operations necessary to achieve the controller’s or processor’s goals. This includes where the processing of personal data forms a vital part of the delivery of that core activity. For example, the core activity of a GPs’ practice is to provide healthcare and that cannot be achieved effectively without the use of patients’ health records. Therefore, by Law, a GPs' practice would need to designate a DPO.
A controller or processor may choose to voluntarily appoint a DPO if the above conditions do not apply.
Regardless of whether the Law obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the Law.
Who can be a DPO?
The DPO role can be assigned to:
- a dedicated staff member, or
- a staff member with other duties, or
- a contracted external party
However the role is fulfilled, the DPO must not undertake any other duties that conflict with their DPO duties.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. In such cases the DPO must be easily accessible from each entity within that group and must be able to allocate an appropriate and proportionate amount of their time to each entity.
What are the DPO's tasks?
The DPO’s minimum tasks are defined in sections 50 and 51 of the Law:
- To inform and advise the organisation and its employees about their obligations to comply with the Law and other enactments.
- To monitor compliance with the Law, including internal data protection policies, advise on data protection impact assessments; train staff and conduct internal audits.
- To act as the first point of contact for the Office of the Data Protection Authority (ODPA) on issues relating to processing.
- To cooperate with the ODPA as necessary.
Other duties in relation to DPOs
- To give written notice to the ODPA of the name and contact details of the DPO.
- To publish a notice confirming the designation of the DPO and contact details and allow individuals to contact the officer directly with regard to data protection issues.
- To involve the DPO in all issues relating to data protection affecting the organisation.
How should DPOs be supported?
You must ensure that:
- The DPO reports to the highest tier of management of your organisation.
- The DPO operates independently and is not dismissed or penalised for performing their task.
- Adequate resources are provided to enable DPOs to meet their legal obligations and maintain their knowledge.
- The DPO should be able to access all personal data and the processing operations of the organisation.
- There should be no conflict of interest in relation to the performance of the DPO’s functions.
Does the DPO need specific qualifications?
The Law does not specify the precise credentials a DPO is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be relevant and proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
Additional guidance available
The European Data Protection Board have published its own guidance on data protection officers that you may find useful. It includes guidance on what will be deemed a conflict of interests in relation to the DPO’s duties.