Under the Law, you must appoint a DPO if you:
Core activity can be considered to be key operations necessary to achieve the controller’s or processor’s goals. This includes where the processing of personal data forms a vital part of the delivery of that core activity. For example, the core activity of a GPs’ practice is to provide healthcare and that cannot be achieved effectively without the use of patients’ health records. Therefore, by Law, a GPs' practice would need to designate a DPO.
A controller or processor may choose to voluntarily appoint a DPO if the above conditions do not apply.
Regardless of whether the Law obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the Law.
The DPO role can be assigned to:
However the role is fulfilled, the DPO must not undertake any other duties that conflict with their DPO duties.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. In such cases the DPO must be easily accessible from each entity within that group and must be able to allocate an appropriate and proportionate amount of their time to each entity.
The DPO’s minimum tasks are defined in sections 50 and 51 of the Law:
You must ensure that:
The Law does not specify the precise credentials a DPO is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be relevant and proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
The European Data Protection Board have published its own guidance on data protection officers that you may find useful. It includes guidance on what will be deemed a conflict of interests in relation to the DPO’s duties.
The Bailiwick of Guernsey's independent authority which regulates data protection legislation through an ethics-based approach, empowers individuals and protects their rights, promotes excellence in data protection, and supports the data economy to embrace innovation.
Receive regular information and statistics related to our activities and governance
Sign up nowReceive regular information and statistics related to our activities and governance
Sign up nowThe Office of the Data Protection Authority
+44 (0)1481 742074enquiries@odpa.gg
St Martin's House, Le Bordage, St. Peter Port, Guernsey GY1 1BR
Newsletters sign-up Data Processing Notice Careers Cookies
Website by
&
Indulge
© 2022 The Office of the Data Protection Authority.