Designation of data protection officer
The controller and processor shall designate a data protection officer in each case in which:
the processing is carried out by a public authority or public body, except in the case of courts in the exercise of their judicial functions;
a controller or the processor is primarily responsible for processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic observation on a large scale of data subjects; or
the controller or processor is primarily responsible for large-scale processing of special categories of data under Article 9 and of personal data relating to criminal convictions and offenses under Article 10.
A concern may appoint a single data protection officer, provided that the data protection officer can be easily contacted from each branch.
Where the controller or processor is a public authority or public body, a single data protection officer may be designated for several such authorities or bodies, taking into account their organizational structure and size.
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, if so required by Union or Member State law, shall designate a data protection officer. The Data Protection Officer may act for such associations and other bodies representing categories of controllers or processors.
The Data Protection Officer shall be appointed on the basis of his professional qualities and, in particular, his expertise in data protection law and practice and his ability to perform the tasks referred to in Article 39.
The data protection officer may be a staff member of the controller or processor, or may perform the duties under a service agreement.
The controller or processor shall disclose and communicate the contact details of the data protection officer to the supervisory authority.
