CEDPO has introduced the GDPR watchdog which will focus on developments regarding the DPO at Member State level:
According to Art. 21 of the Belgian Act on Data Protection every non-public body that carries out the processing of personal data for the benefit of a federal authority or to which personal data have been transferred by a federal authority must appoint a data protection officer if the processing of the data is likely to lead to a high risk for data subjects in accordance with Art. 35 of the GDPR.
Part IV 14, Law 125(I)/2018: The Cypriot supervisory authority has the legal power to publish a list of processing activities, which is intended to trigger a designation obligation under Art. 37 paragraph 1 GDPR. A corresponding publication has not yet taken place.
The German parliament has passed an extensive Bill addressing the opening clauses for a specific implementation of the GDPR at Member State level.
Art. 37 paragraph 4 of the GDPR allows Member States to stipulate other cases in which a DPO has to be designated than referred to in paragraph 1.
The German Federal Data Protection Act (FDPA) stipulates in Sect. 38 that Controllers and Processors in the the non-public sector shall generally appoint a DPO when at least twenty persons are employed to carry out an automatic processing of personal data on an ongoing basis.
Regardless of the number of employees being permanently employed for the processing of personal data, the designation of a DPO shall also be mandatory in cases where
- a Data Protection Impact Assessment is required in accordance with Art. 35 of the GDPR, or,
- the Controller or Processor’s business purpose is to collect and store data commercially for the purpose of transfer in personalized or aonymized form, or,
- the Controller or Processor’s business purpose is to collect and store data commercially for the purposes of market or opinion research.
Furthermore the FDPA provides for a protection against dismissal (Sect. 6 paragraph 4). The termination of the employment relationship with a DPO shall only be lawful if facts are present on the basis of which the employer cannot reasonably be expected to continue the employment relationship to the end of the regular notice period or to the agreed end of the employment relationship.
Sect. 6 paragraph 5 FDPA stipulates that the DPO shall be bound to maintain secrecy on the identity of the data subject and on circumstances permitting conclusions to be drawn about the data subject, unless he/she is released from this obligation by the data subject.
In so far as the DPO obtains knowledge of data in the course of his or her activities in connection with which a right of refusal to give evidence applies on professional grounds to the head of the public or private body or a person employed at such a body, this right shall also apply to the DPO and his/her assistants. The person to whom the right of refusal to give evidence applies on professional grounds shall decide whether to exercise this right, except where it will not be possible to effect such a decision in the foreseeable future. To the extent to which the DPO’s right of refusal to give evidence applies, the DPO’s files and other documentation shall be subject to a prohibition of seizure (Sect. 6 paragraph 6).
Art. 34 of the Spanish LOPD: Controllers or processors must in any case have a data protection officer if they are
- chambers and bodies including their general councils,
- educational institutions providing education at all levels provided for in the education laws, including private and public universities,
- organisations operating networks and providing electronic communications services within the meaning of the applicable laws, if they process personal data on a large scale, occasionally and systematically,
- social network providers, if they produce large scale user profiles,
- financial institutions in accordance with Article 1 of Law 10/2014 of June 26,
- credit institutions,
- insurance undertakings and reinsurance undertakings,
- investment services regulated by the stock exchange laws,
- energy suppliers and marketers of electrical energy and suppliers and marketers of gas
organisations responsible for shared files relating to credit assessment or fraud management or prevention, including those responsible for files regulated by laws on preventing and combating money laundering and the financing of terrorism,
- organisations carrying out advertising campaigns or commercial research, including market analysis and market research, if they carry out processing operations on the basis of the preferences of the data subjects or create profiles of them,
- healthcare institutions that are legally obliged to store patient data. This does not apply to healthcare professionals who carry out their activities as individuals, even if they are obliged to keep patient data,
- organisations involved in the publication of company reports, provided that the reports relate to a natural person,
- (gambling) operators who develop their activity via electronic, telematic or interactive channels and who are regulated by the laws governing (gambling) operators,
- private security companies,
- sports associations, when they process data of minors