Data Protection in Albania

Data protection officers

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Related resources

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Related resources

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Related resources

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Related resources

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer of personal data

Transfer of personal data in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Related resources

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Related resources

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

Last modified 28 January 2025

Controllers and any public authority responsible for the prevention and detection of offences, investigations, inquiries and prosecutions, as well as the enforcement and execution of sentences, or any body or entity exercising public authority and exercising law enforcement powers for the purposes of the prevention and detection of offences, investigations, inquiries, criminal prosecutions, and the enforcement and execution of sentences, must appoint a Data Protection Officer (DPO).

The DPO must be selected on the basis of professional qualities and expertise in data protection law and practices.

The DPO shall:

inform and advise on compliance obligations;
monitor compliance with applicable data protection rules and internal policies;
advise on data protection impact assessments; and
act as the contact point with the National Authority.

The form for appointing a representative is available on the portal of the National Authority's website.

The data controller or its authorised representative will be considered the official contact for the National Authority.

In the case of a data officer established abroad, in accordance with Article 04 (point 02) of Law No. 18-07 concerning the protection of individuals with regard to the processing of personal data (free translation): "When the data controller is not established in the Algerian territory but uses, for the purpose of processing personal data, automated or non- automated means located in the Algerian territory, excluding processing used solely for transit within the national territory. In this case, the data controller must notify the national authority of the identity of its representative established in Algeria, who, without prejudice to their personal responsibility, replaces them in all their rights and obligations arising from the provisions of this law and the texts adopted for its implementation."

Last modified 20 March 2026

There is no requirement to appoint a data protection officer.

Last modified 30 December 2021

Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special security standards apply, it may be necessary to appoint an officer in charge of data security.

Last modified 28 January 2025

No requirement to appoint a data protection officer.

Last modified 20 January 2025

National Ordinance Person Registration

Pursuant to article 8 of the National Ordinance Person the data controller shall execute appropriate technical and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof.

Besides the measures above, the National Ordinance Person Registration does not contain any clauses on appointing a mandatory data protection officer.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

Organisations are not required to appoint a data protection officer. However, the OAIC has issued guidance recommending that organisations appoint a data protection officer as good practice.

Last modified 11 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if one of the following conditions are met:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Austria regulation

The DSG contains in its Section 5 some additional regulation in respect to the rights and obligations of the DPO. Thereunder, the DPO and all persons working for the DPO are obliged to retain confidentiality regarding the identity of the persons that have approached the data protection officer as well as regarding all the circumstances that could reveal the identity of such persons.

Under certain circumstances, the DPO and their assistant personnel have the right to refuse testimony regarding the data obtained in their capacity as data protection officer, if a person employed in a position subject to the data protection officer's supervision is entitled to such right and to the extent that person has exercised such right. All files and other documents of the data protection officer which are subject to this statutory right to remain silent in the aforementioned extent cannot be lawfully seized.

Further regulations in Section 5 concern the DPOs of public organizations.

Last modified 20 January 2025

The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing and protection of personal data.

Last modified 15 February 2022

There is no statutory duty to appoint a Data Protection Officer under DPA.

Last modified 28 January 2025

Data controllers may voluntarily appoint a data protection officer, however all licensed financial institutions are required to appoint a data protection officer.

The data controller may appoint an external or internal data protection officer.
The conditions for registering an internal data protection officer:

The individual must be an employee of the data controller or of one of its subsidiaries or branches or be part of a regional or international group under the same ownership.
The individual must have permanent residency in Bahrain.

The conditions for registering an external data protection officer:

For Natural Persons

Must be fully legally competent.
Must hold at least a Bachelor’s degree in Information Technology or possess a professional certification in information security, information security audit or cybersecurity. Alternatively, must have a minimum of two years of practical experience in any of the foregoing fields.
Must be of good standing and must not have been finally convicted of any offence involving breach of trust, honour or integrity, nor of any crime involving breach of professional ethics, unless reinstated.
Must not have been dismissed from employment pursuant to a disciplinary decision, nor had their professional license revoked or suspended under a disciplinary ruling.

For Legal Persons

Must be licensed to operate in Bahrain.
Must be engaged in providing legal, audit, information technology, management consulting, accounting or risk management services.
Must employ at least three individuals who meet the eligibility requirements applicable to natural persons.
Must satisfy any additional conditions set by the Board of Directors.

A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the PDPL. The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the data protection officer becomes aware of and maintaining a register of processing operations that the data controller must notify the Authority about.

Last modified 2 February 2026

No requirements.

Last modified 3 January 2024

The data controller and the data processor must designate a data privacy officer where:

the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their judicial capacity;
the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

The data privacy officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the duties and functions as set out under the Act.

Last modified 28 January 2024

Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control functions. The legislation establishing obligations of different positions stipulates that the specialist of internal control over personal data processing shall have higher education, while no requirements for work experience are established.

Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on the number of persons who shall complete training at NPDPC.

Moreover, a legal entity, including state body, processing personal data shall create information protection systems to secure information in their information systems used for processing of such data. As a part of creation of such system the entity should establish special department or appoint employee responsible to take required technical and cryptography information protection measures. According to the Information Protection Edict, the employees of such department (responsible employee) are required to have higher education in the sphere of information protection security or other higher or specialised secondary or professional - technical education and undergo training on the issues of technical and cryptographic information protection.

If for some reasons respective departments / employees cannot take such measures themselves, a special organisation licensed to perform activities on technical and / or cryptography information protection may be involved.

Last modified 13 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

Belgium regulation

In addition to the GDPR, the Data Protection Act requires the appointment of a DPO depending on the impact of the processing activity, namely if it may entail a high risk as referred to in article 35 of the GDPR when (i) a private law body processes personal data on behalf of a federal public authority or a federal public authority transfers personal data to this private law body in the context of police services¹ or (ii) the processing falls under the exception necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes². Some public authorities regulated by the Data Protection Act are also required to appoint a DPO³.

The Data Protection Authority has addressed the GDPR requirements for the appointment of DPOs and the exercise of its tasks in several cases, including in relation to the position of the DPO and its independence, the obligation to directly report to the highest management level, the necessary resources to carry out his tasks and the requirement that a DPO must have “expert knowledge”.

Footnotes

1. Art. 21 Data Protection Act.
2. Art. 190 Data Protection Act.
3. The Center for Missing and Sexually Exploited Children (Child Focus) Art. 8 para. 3 Data Protection Act; Competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security implementing Directive 2016/680 Art. 63 et seq Data Protection Act; Intelligence and security services Art. 91 Data Protection Act; Bodies for security clearances, certificates and recommendations Art. 124 Data Protection Act; Coordination Unit for Threat Assessment Art. 157 Data Protection Act.

Last modified 13 February 2026

According to the Article 430 of the Digital Code, a Data Protection Officer (DPO) must be appointed when the data controller is a state-owned organization or when the activities of the data controller or data processor involve monitoring individuals or processing of sensitive data on a large scale.

Although the Digital Code does not impose a strict duty for the appointment of a DPO, organizations with a DPO are exempt from notifying the APDP of data processing (Article 408 of the Digital Code).

Last modified 20 January 2025

Organisations covered by PIPA are required to appoint a "privacy officer" for the purposes of compliance with PIPA and communication with the Privacy Commissioner.

Last modified 28 January 2024

There is no mandatory requirement to appoint a formal data security officer or data protection officer.

Last modified 4 February 2026

Personal Data Protection Act BES

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

The data controller and processor are required to appoint a Data Protection Officer (“DPO”) in the following cases:

when the processing is carried out by a public authority, except for courts acting in their judicial capacity;
when the core activities of the controller or processor consist of processing operations which, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
when the core activities of the controller or processor consist of large-scale processing of special categories of personal data or data relating to criminal convictions and offences.

A group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.

Public authorities may appoint a single DPO for multiple authorities, taking into account organizational structure and size.

In other cases, controllers, processors, or associations representing them may, or where prescribed by law must, appoint a DPO. A DPO may act on behalf of these associations.

The DPO shall be appointed based on professional qualifications, including expertise in data protection law and practice, and the ability to perform the tasks assigned by law.

The DPO may be employed by the controller or processor or engaged under a service contract.

Controllers or processors must publish the DPO’s contact details and communicate them to the supervisory authority.

Controllers and processors shall ensure that the DPO is properly and timely involved in all issues related to personal data protection. Controllers and processors shall support the DPO in performing their tasks, providing necessary resources, access to personal data and processing operations, and support for maintaining expertise. The DPO shall not receive instructions regarding the performance of their tasks. Controllers and processors cannot dismiss or penalize the DPO for performing their duties. The DPO reports directly to the highest management level. Data subjects may contact the DPO regarding processing of their personal data and exercising their rights. The DPO shall maintain confidentiality of all information obtained while performing their tasks. The DPO may perform other tasks, provided they do not create a conflict of interest.

The DPO shall:

inform and advise the controller or processor and employees engaged in processing about their obligations under the law;
monitor compliance with the law and internal policies of the controller or processor, including awareness-raising, training, and audits;
provide advice, when requested, on data protection impact assessments and monitor their implementation;
cooperate with the supervisory authority;
act as a contact point for the supervisory authority on all data processing matters, including prior consultation when required.

While performing their tasks, the DPO shall take into account the risks associated with processing, considering the nature, scope, context, and purposes of processing.

Furthermore, in the event that the personal data of data subjects in Bosnia and Herzegovina is processed by a data controller or processor who does not have a registered office, business establishment, residence, or habitual abode in Bosnia and Herzegovina, and if the processing activity is related to:

offering goods or services to those data subjects in Bosnia and Herzegovina, regardless of whether the data subject is required to make a payment; or
monitoring the behavior of data subjects, provided that their behavior takes place within Bosnia and Herzegovina,

the data controller or processor is obliged to appoint a representative in Bosnia and Herzegovina in writing.

However, exceptions to this obligation are provided for:

processing that is occasional, i.e., where there is no substantial processing of special categories of data or processing of personal data relating to criminal convictions and offences, and where it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing; or
processing of personal data carried out by public authorities.

The appointment of a representative of the data controller or processor does not affect the legal obligations that may be directed against the data controller or processor itself.

Last modified 13 February 2026

A data controller has the option to appoint a data protection representative who holds the requisite qualifications, their role being to independently ensure that personal data is processed in a correct and lawful manner, and in accordance with good practice.

The data protection representative is responsible for keeping a list of the processing carried out and the list should be immediately accessible to any person applying for access. Upon identifying any inadequacies, the data protection representative should bring such inadequacies to the attention of the data controller and assist in ensuring that the data subject’s rights under the DPA are protected.

Where a data protection representative has been appointed, the notification to the Commissioner regarding wholly or partially automated processing operations is not required.

If a data protection representative has reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after the contravention is pointed out, the data protection representative must then notify the Commissioner.

The appointment and removal of a data protection representative must be notified to the Commissioner.

Last modified 18 March 2026

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data processing operations. The DPO is responsible for the following:

Accepting complaints and communications from data subjects and the National Authority
Providing guidance to employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

On July 16, 2024, the National Data Protection Authority (ANPD) published Regulation CD/ANPD 18/2024, which provides that data processors are not required to appoint a DPO, but it shall be considered as good practice by the ANPD. The appointment of a DPO is also not required for small businesses, startups, and innovative companies, as defined by the law, except for those performing data processing activities which incur in high risks for data subjects^[1] , pursuant to ANPD Regulation CD/ANPD 02/2022.

Regulation no. 18/2024 also provides that the appointment of the DPO must be made through a formal act, ie, a written document, dated and executed, which clearly and unequivocally demonstrates the data processing agent’s intention to appoint a natural person or a legal organization as DPO, including the DPO’s roles and activities.

According to the mentioned Regulation, the DPO may be (i) a natural person, either internal or external to the data processing agent (controller or processor), or (ii) a legal organization. The DPO is required to be able to communicate with data subjects and with the ANPD in a clear and precise manner and in Portuguese.

In addition, the DPO’s identity and contact information shall be publicly available, in a clear and objective manner, in highlighted and easily accessible place on the organization’s website. If the DPO is a natural person, their full name must be disclosed, and if the DPO is a legal organization, it must be disclosed the company’s name and fantasy name, as well as the full name of the natural person responsible for the company.

Even though the DPO may carry out more than one activity within an organization, the DPO may not be responsible for functions within the same organization that could result in a conflict of interest, such as carrying out activities that involve making strategic decisions related to the processing of personal data by the controller, which does not include making decisions related to the processing of personal data which is inherent to the exercise of the DPO's duties.

Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact information of the DPO with the ANPD.

^[1] The following entities are considered Small-Sized Processing Agents:

micro-enterprises and small size businesses, as defined by Art. 41, Law No 14,195/2021
entrepreneur, as defined by the Civil Code No 10,406/2002
start-ups, as defined by Law No 182/2021
non-profits organizations
natural persons and depersonalized private entities who carry out treatment of personal data, assuming typical controller or operator obligations.

Small-Sized Processing Agents must not earn gross revenue higher than BRL 4.800.000,00, or, in the case of start-ups BRL 16.000.000,00, nor belong to an economic group whose global revenue exceeds the limits, as defined by the corresponding laws or perform high-risk processing. According to the Regulation, a high-risk data processing activity meets at least one general and one specific criteria among those listed in the Regulation. General criteria are: (i) processing of personal data in large scale; and (ii) processing of personal data which may significantly affect the data subjects’ interests and fundamental rights, while specific criteria is (i) use of emerging or innovative technologies; (ii) vigilance or control of public accessible areas; (iii) decisions made exclusively with basis on automated data processing; and (iv) use of sensitive data or personal data belonging to children, adolescents and elderly people.

Last modified 30 March 2026

There is no requirement under the DPA for a data protection officer to be appointed.

Last modified 28 January 2025

At present no legal requirement.

It is anticipated that the PDPO will require an organization to appoint a data protection officer who shall be responsible for ensuring that the organization complies with the PDPO and develops and implement policies and practices that are necessary to meet its obligations under the PDPO including a process to receive complaints. AITI have expressed the possibility of them issuing advisory guidelines to provide clarity and guidance on the topic of Data Protection Officers in the future.

Last modified 18 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Bulgaria regulation

The Personal Data Protection Act does not set an explicit requirement to appoint a data protection officer ("DPO"), thus the general requirement pursuant to the GDPR applies. Pursuant to the Personal Data Protection Act, data controllers are obliged to communicate the personal details and contact details of the DPO, as well as any subsequent replacements, before the Commission for Personal Data Protection, and will also have to publish their contact details. An approved notification form, which was recently updated by the Commission for Personal Data Protection, is available online (only in Bulgarian language).

Last modified 12 February 2026

We have not identified any obligation to appoint a data protection officer ('DPO') or any other equivalent role in the law.

Last modified 20 January 2025

There is no requirement to appoint a data protection officer.

Last modified 17 January 2024

Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in Cambodia.

Last modified 13 February 2026

Article 38 of the Draft of 2024 Data Protection Law provided for the mandatory appointment of a DPO not on the basis of the size of the company but rather on the type and quantity of data processed, the systematic nature of the processing or the number of persons concerned by the processing carried out by the company. However, the final version of the law adopted did not include this provision. It is, therefore, likely that this point will be regulated in the Decree implementing the 2024 law on data protection or a subsequent regulatory text of the Ministry of Posts and Telecommunications.

Last modified 19 March 2026

PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the obligations under the respective statutes.

The Quebec Private Sector Act, as modified by Bill 64, requires organizations to appoint a person responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the organization. By default, the person with the highest authority within the organization will be the person responsible for the protection of personal information, however this function can be delegated to any person, including a person outside of the organization.

This person’s responsibilities are broadly defined in the law and include:

Approval of the organization’s privacy policy and ‎practices
Mandatory privacy impact assessments
Responding to and reporting security breaches, and
Responding to and enacting access and ‎rectification rights

The contact information of the person responsible for the protection of personal information must be published online on the website of the organization. The delegation must be done in writing.

Last modified 26 January 2023

The appointment of a data protection officer is mandatory when:

processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 8 (sensitive data) or personal data relating to criminal convictions and offences referred to in Article 11 (criminal convictions and offences).

Last modified 16 January 2025

There is no requirement for organizations to appoint a data protection officer under the DPA, though this may be recommended for larger or complex organizations.

Last modified 28 January 2025

There are no specific provisions relating to the appointment of a Data Protection Officers (DPO) under the Act. This issue is left at the exclusive discretion of the data controllers.

Last modified 19 March 2026

While the PDPL itself does not mandate the appointment of a Data Protection Officer (DPO), Law 21,719 and its supplementing regulations introducethe concept of the DPO as part of its certified infringement-prevention compliance models. In this regard, compliance programs must include the designation of a DPO with sufficient means and powers to exercise the role.

Law 21,719 also sets forth the DPO’s duties and fitness requirements, specifically providing that the DPO must be appointed by the controller’s highest governing or administrative authority (i.e.,, the board of directors, a managing partner, or the entity’s chief executive, as relevant), must be autonomous regarding management in matters related to the law, and, in the case of micro, small and medium-sized enterprises, the owner or the highest authorities may personally assume the DPO’s tasks.

Last modified 5 February 2026

A data controller who in total processes more than 10 million data subjects' personal information must appoint a Data Protection Officer (DPO), and register a series of information about the DPO (e.g. name, contact information, appointment letter, etc.) and the data controller's main processing activities to the CAC via an online portal.

If a data controller processes in a foreign jurisdiction the personal information of Chinese residents for the purposes of providing products or services to the data subjects or for assessing or analyzing their behaviors (i.e. where the data controller triggers the extra-territorial effect of the PIPL), the data controller must appoint a local representative in China and report information about the representative to the CAC. Details of how the representative information should be registered is awaited.

Last modified 13 February 2026

There is no requirement to appoint a formal data protection officer in Colombia. However, companies are required to appoint either a specific person, or a designated group within the company to be in charge of personal data matters, specifically the handeling of Data Subject rights and privacy request .

Last modified 13 February 2026

Obligation to designate a CPDCP

According to Article 5 of Law 2013-450, the processing of personal data is subject to a prior declaration to the ARTCI. However, this obligation to declare may be waived if the controller designates a CPDCP, except in the case of the transfer of personal data to a third country. The designation of a CPDCP is therefore a choice that exempts the declaration, and not a legal obligation (Article 6 of the aforementioned law).
When the data controller opts to designate a CPDCP, it must notify the ARTCI of this designation (Article 6 of the Order on the correspondent's profile).
The CPDCP is responsible for independently ensuring compliance with the legal obligations relating to the protection of personal data.

Qualifications required for the CPDCP

Law no. 2013-450 stipulates that the CPDCP must have the necessary qualifications to carry out his or her duties.
Order No. 511/MPTIC/CAB of 11 November 2014 specifies the profile required for the CPDCP, which differs depending on whether it is a natural or legal person:
- For natural persons:
  - Be of Ivorian nationality (implied)
  - Have at least a BAC+4 level in the fields of legal sciences, computer science or telecommunications/ICT networks, or an equivalent diploma
  - At least two years' professional experience in these fields
  - Proven competence in personal data protection
  - Have a good knowledge of database management and operating systems, data storage methods and information systems security policies
  - Mastery of office automation tools and the internet
  - Excellent interpersonal and organisational skills
  - Not to have been the subject of a final criminal conviction or a ban on exercising an activity, handed down by an Ivorian or foreign court, or of a sanction handed down by ARTCI
- For legal entities:
  - Be a legal person under Ivorian law
  - Prove that they are tax-compliant and that they are registered with social security institutions
  - Have been active for at least five years in the fields of legal sciences, information technology or telecommunications/ICT networks, and provide proof of this
  - Have insurance covering professional risks relating to the protection of personal data
  - Have staff with at least the profile of a CPDCP, natural person

It is important to note that the controller cannot be designated as a CPDCP.

A natural person CPDCP can only be designated by a single controller and carry out his duties only with the latter. On the other hand, a legal entity may be appointed by several data controllers.

Duties of the CPDCP

The CPDCP is responsible for ensuring, in an independent manner, compliance with the legal obligations relating to the protection of personal data.

Its main missions, defined by Law No. 2013-450, and specified by Order No. 511/MPTIC/CAB include:

Maintaining the list of data processing carried out
Keeping a copy of the codes and passwords required to access files relating to processing
Provide access to data to any data subject who requests it in order to exercise their rights
To ensure compliance with legislation on the protection of personal data
To inform and advise the data controller and employees on legal obligations in relation to data protection
Notify the data controller of any breaches of legislation observed
Notify the ARTCI of uncorrected breaches within three months of reporting to the controller
Notify the ARTCI of any difficulties encountered in carrying out its duties

Other important elements

The appointment of the CPDCP must be notified to the ARTCI.
The ARTCI has 30 days to object to the designation if the CPDCP does not meet the required profile.
The CPDCP may not be sanctioned by his employer for the performance of his duties.
The controller may replace the CPDCP for a legitimate reason, after informing the CPDCP and giving him/her the opportunity to present his/her observations. The replacement must also be notified to the ARTCI.
Decree No. 2015-79 specifies that applications to file a declaration and authorisation for the processing of personal data must be submitted by a natural person resident in Côte d'Ivoire or a legal person under Ivorian law.

Last modified 6 January 2025

There is no requirement for a data protection officer.

Last modified 9 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Croatia regulation

The Act does not contain any special requirements related to data protection officers, other than those imposed by the GDPR. AZOP however must be informed on appointment and change of the DPO.

Last modified 16 January 2025

There is no general requirement under binding Cuban rules for organisations to appoint a data protection officer.

Last modified 16 February 2022

National Ordinance Personal Data Protection

Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place.

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

According to the Law, the Commissioner may draw up and make available to the public a list of the processing operations and / or other instances which shall deem necessary the designation of a data protection officer (the “DPO”) by the data controller and the processor. A list of names of data controllers and processors who have designated a DPO may be published on the Commissioner’s website provided the data controller and the processor wish to be included therein.

Last modified 12 March 2026

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 16 January 2024

The Digital Code provides for the possibility to designate a "délégué à la protection des données à caractère personnelles", which is a person responsible for the protection of personal data or Data Protection Officer, without however regulating such role in detail. The Digital Code only provides for some of its duties, namely:

to inform and advise the controller or processor and the employees who carry out the processing on their obligations under the data protection provisions of the Digital Code;
monitoring compliance with the data protection provisions of the Digital Code and with the controller's or processor's internal rules on the protection of personal data, including with regard to the allocation of responsibilities, the awareness and training of staff involved in processing operations, and related audits;
providing advice, on request, on data protection impact assessments and verifying that they are carried out in accordance with the Digital Code;
cooperating with the APD;
acting as a focal point for the authority responsible for the protection of personal data on matters.

Last modified 4 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Denmark regulation

Under the Regulation, organizations shall designate a data protection officer (‘DPO’) in any case where:

the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
the core activities of the data controller or the processor consist of processing operations which, by their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
the core activities of the controller or the processor consist of processing on a large scale of Special Categories of Personal Data and personal data relating to criminal convictions and offences

The DPO shall be selected based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the GDPR.

Under the Danish Data Protection Act, the DPO is subject to a duty of secrecy and is prohibited from wrongful disclosure or use of any personal data processed in their capacity of being DPO.

Last modified 16 January 2025

There is no requirement to appoint a data protection officer under the DPL.

Last modified 28 January 2025

Each controller or processor is required to appoint a Data Protection Officer (DPO) if one or more of the following thresholds is met:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Both in the Regulation implementing the Organic Law on Personal Data Protection and in the secondary regulations issued by the Superintendence of Personal Data Protection, the activities required to appoint a Data Protection Officer have been expanded based on the volume of data processed by a data controller.

For example, all companies in the insurance sector and financial institutions are mandatorily required to appoint a DPO.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities, provided that it does not give rise to a conflict of interests.

DPOs must exercise their duties in a "professional manner" for the controller or processor, though it is possible to outsource the DPO role to a service provider.

The DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks.

The specific tasks of the DPO include:

to inform and advise on compliance with the Personal Data Protection Organic Law;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the Superintendence of Data Protection.

Last modified 10 February 2026

Pursuant to Article (8) of the Law, the legal representative of the juristic person of any of the controller or the processor shall appoint a competent employee as a Data Protection Officer (the “DPO”) within its entity to be responsible for personal data protection. Such DPO must be registered on the DPO register at the Centre. The DPO shall be responsible for enforcing the provisions of the Law and the decisions of the Centre, as well as monitoring and supervising the procedures applicable within the entity and receiving requests related to personal data. The DPO shall, in particular undertake the following:

Perform a regular evaluation and inspection of the personal data protection systems and avoid infringement thereto as well as documenting the results of such evaluation and issuing the necessary recommendations for its protection.
Act as a direct contact point with the Centre and implement its decisions, with respect to the application of the provisions of the Law.
Enable the data subject to practice its rights stipulated under the Law.
Notify the Centre of the occurrence of any breach of personal data within his entity.
Reply to the requests submitted by the data subject or any relevant person and reply to the complaints filed by them to the Centre.
Follow-up the registration and update the personal data records held by the controller, or the processing activity records held by the processor, to guarantee the accuracy of the data and information recorded therein.
Eliminate any transgressions related to personal data within its entity and undertaking the corrective actions related thereto.
Organise the necessary training programs for the employees of the relevant legal entity, which are required to have sufficient qualifications that comply with the requirements stipulated by the Law.

Last modified 13 February 2026

To this date, only Public Offices/Institutions are required to appoint a Public Information Access Officer, but no Data Protection Officer regulation is in place.

Last modified 28 January 2024

The Governing Data Protection Body through its Technical Secretariat is responsible for ensuring the administration of personal data files, regardless of their ownership, is done in due compliance with the provisions of the law.

Last modified 6 March 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Estonia regulation

In relation to DPOs, the PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.

Last modified 19 February 2026

A data protection officer is a natural person assigned within an organization with the responsibilities of controlling data handling, administration and usage.

Both a data controller and a data processor shall designate or appoint a data protection officer on such terms and conditions as the data controller or data processor may determine, where:

the processing is carried out by a government body, except for courts acting in their judicial capacity;
the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

Last modified 23 March 2026

None.

Last modified 2 February 2026

None.

Last modified 19 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Finland regulation

In Finland the new Data Protection Act does not contain specific local requirements on data protection officers. However, few special national acts stipulate mandatory appointment of data protection officers.

For example, in Finland all functional units of healthcare and social welfare as well as pharmacies must appoint a data protection officer under the Act on Electronic Prescriptions (61/2007) (Laki sähköisestä lääkemääräyksestä), and under The Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023) (Laki sosiaali- ja terveydenhuollon asiakastietojen käsittelystä).

Last modified 13 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

France regulation

The Law provides that controllers processing personal data under the scope of the EU Data Protection Directive on Police and Criminal Justice Cooperation must appoint a DPO, with the exception of jurisdictions acting within the scope of their judicial activity.

The Decree specifies the mandatory information to be communicated to the CNIL by data controller(s) or processor(s) in the DPO notification form.

On 20 September 2018, the CNIL issued two standards regarding the certification of DPO skills: one regarding the skills and know-how expected to be certified as DPO (CNIL Deliberation No. 2018-318), and the other one regarding the criteria applicable to certifying DPO organizations (CNIL Deliberation No. 2018-317). These Deliberations were recently updated notably to adapt the procedure of accreditation of the organizations authorized to certify the DPOs’ skills and to enable candidates to take the certification test remotely (CNIL Deliberation No. 2022-128 and CNIL Deliberation No. 2023-062).

On March 2022, the CNIL also published a Guide for DPOs that combines useful knowledge and best practices to help organizations in appointing and supporting DPOs.

Last modified 23 February 2026

Under the new law on personal data, the appointment of a DPO is no longer left exclusively to the discretion of the data controller. Indeed, the law establishes specific situations in which a DPO must be appointed, thus limiting the discretionary power of the data controller. These conditions, governed by article 125, are as follows:

Where the processing is carried out by a public authority or public body, with the exception of courts acting in the exercise of their judicial function;
Where the basic activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic large-scale monitoring of the data subjects; Where the basic activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic large-scale monitoring of the data subjects;
Where the basic activities of the controller or processor consist of large-scale processing of sensitive data and data relating to convictions for criminal offences.

In addition, according to article 130 of the aforementioned law on personal data, this position must be held by a person with the qualifications required to carry out his or her duties, namely professional qualities, particularly relating to knowledge of the law and matters relating to data protection.

According to Article 138, the Data Protection Officer is responsible for ensuring that data processing is compliant. His duties cover all processing carried out by the body that appointed him. In this capacity, he is responsible for:

informing and advising the data controller or data processor, as well as the people in the organisation who process the data, of their obligations under this law;
monitoring compliance with this law and with the internal rules put in place by the data controller or data processor with regard to data protection, including the allocation of responsibilities and the awareness and training of staff involved in data processing and auditing operations;
giving an opinion on data protection impact assessments and checking that they have been carried out;
to cooperate with the APDPVP, including in the event of prior consultation by the controller when a data protection impact assessment is carried out, and to consult, as appropriate, on any other matter.

Last modified 6 January 2025

As per the Data Protection Law (Article 33), public institutions, insurance organizations, commercial banks, micro-finance organizations, credit bureaus, electronic communication companies, airlines, airports, and medical institutions, as well as controllers / processors processing the data of a significant number of data subjects or carrying out systematic and large-scale monitoring of their behavior, are obliged to appoint or designate a personal data protection officer. The personal data protection officer on the other hand, shall:

inform a controller, a processor and their employees on matters related to data protection, including on matters related to the adoption or modification of regulatory legal norms, and provide them with consultation and assistance in terms of the methodology used;
participate in the development of internal regulations related to data processing and the data protection impact assessment document, and also monitor whether a controller or a processor complies with the legislation of Georgia and the internal organizational documents;
analyze received applications and grievances regarding data processing and make appropriate recommendations;
receive consultations from the Personal Data Protection Service, represent a controller and a processor in the relationship with the Personal Data Protection Service, submit information and documents at its request, and coordinate and monitor the execution of its tasks and recommendations;
in the event of an application by a data subject, provide him / her with information on data processing and his / her rights;
perform other functions for ensuring the improvement of standards of data processing by a controller and a processor.

Except for the cases provided for in the beginning (first paragraph), other controllers / processors have the right, at their own discretion, to appoint or designate a personal data protection officer. It is to be noted that, the function of a personal data protection officer may be performed by an employee of a controller or a processor or by other person(s) on the basis of a service contract. The personal data protection officer has the right to perform other functions unless they give rise to a conflict of interest.

Furthermore, a controller or a processor is allowed to appoint or designate a common personal data protection officer provided that he / she completes his / her functions. If the controller or the processor is a public institution, it is also permissible to appoint or designate a common personal data protection officer for several state institutions, taking into account the organizational structure and size of the said institutions. A personal data protection officer needs to have appropriate knowledge in the field of data protection and be accountable to the highest governance structure, taking into account the specific circumstances.

A controller and a processor are obligated to ensure the proper involvement of a personal data protection officer in the process of taking important decisions regarding data processing, provide him / her with appropriate resources, and ensure his / her autonomy during the carrying out of activities. They are also obliged to provide to the Personal Data Protection Service information on the identity and contact details of a personal data protection officer, who is in charge of making such information public; this needs to be carried out within 10 working days after the appointment or designation and / or replacement of the relevant personal data protection officer. In addition to that, the controller and the processor are obliged to publish the identity and contact details of the personal data protection officer on a website (if any) in a proactive manner, or through other available means. In the case of the temporary absence of a personal data protection officer or the termination of his / her authority, the controller and the processor are obliged, without unjustifiable delay, to grant the authority of the personal data protection officer to another person.

Last modified 6 January 2025

EU regulation

Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single DPO with responsibility for multiple legal entities (Article 37(2)), provided that the DPO is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single DPO).

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Germany regulation

The threshold to designate a DPO is much lower in the BDSG than in the GDPR. The controller and processor has to designate a DPO if they constantly employ as a rule at least 20 persons dealing with the processing of personal data by automated means, Section 38(1) sentence 1 BDSG. The meaning of ‘automated processing’ is interpreted broadly by the German Authorities. It basically covers every employee who works with a computer.

If the threshold of 20 persons is not reached, Section 38(1) sentence 2 BDSG regulates, that a DPO has to be designated in case the controller or processor undertakes processing subject to a data protection impact assessment pursuant to Article 35 GDPR, or if they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research.

A dismissal protection for the DPO is provided in Section 38(2) in conjunction with Section 6(4) BDSG. Where the controller or processor is obliged to appoint a DPO, the dismissal of a DPO, who is an employee, is only permitted in case there are facts which give the employing entity just cause to terminate without notice. After the activity as DPO has ended, a mandatory DPO who is an employee may not be terminated for a year following the end of appointment, unless the employing entity has just cause to terminate without notice.

Additionally, Section 38(2) in conjunction with Section 6(5) and (6) BDSG stipulates that the DPO shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless he / she is released from this obligation by the data subject. Also, the DPO has the right to refuse to give evidence under certain conditions.

Moreover, the German supervisory authorities expect that the DPO speaks the language of the competent authority and the data subjects, i.e. German, or at least that instant translation is ensured.

Each supervisory authority maintain a register of DPOs. No fee is charged for registering or updating the details of a DPO.

Last modified 16 February 2026

There is no specific requirement to appoint a data protection officer. However, under the Data Protection Act, 2012 (Act 843) a data controller may appoint a certified and qualified data supervisor to act as a data protection supervisor. The data protection supervisor is responsible for monitoring the data controller’s compliance with the provisions of the Data Protection Act. A person shall not be appointed as a data protection supervisor unless the person satisfies the criteria set by the Data Protection Commission.

Last modified 18 March 2026

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in Gibraltar GDPR, include (Article 39):

to inform and advise on compliance with Gibraltar GDPR and other Gibraltar data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 19 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Greece regulation

Further to the relevant GDPR provisions, the Greek Data Protection Law lays down specific rules on the appointment of DPO by public authorities. The particularity of Greek law is that public authorities can be considered to be exempted from the obligation to publish the contact details of the DPO and communicate them to the HDPA for reasons of national security or confidentiality.

It needs to be noted that the tasks of Data Protection Officer (under Article 37 of GDPR) are incompatible with the tasks of the Information and Communication Systems Security Officer (“Y.A.S.P.E.”, as per its Greek initials), a new role established according to Greek Law 5160/2024 (hereinafter the “Greek Cybersecurity Law"), the national law for the transposition of EU Directive 2022/2555 (NIS2).

Last modified 16 January 2025

Public offices and private parties defined in Art. 6 of the Law on Access to Public Information must implement Public Information Units, pursuant to Art. 19 of the law.

Last modified 21 December 2021

A data protection officer ("DPO") must be appointed where:

processing is carried out by a public authority (other than a court, or tribunal acting in a judicial capacity); or
the core processing operations of the controller or processor require or involve "large-scale and systematic monitoring of data subjects" or "large-scale processing of special category of data".

The ODPA has issued guidance clarifying the meaning of the terms “large‑scale processing” and “core activity” for the purposes of this assessment, noting that neither term is defined in the GDPR or the DPL 2017. The ODPA also provides guidance on a range of matters relating to the appointment of a DPO, including who may be appointed, the tasks of the DPO, the duties of organisations when a DPO is required, and the level of support that organisations must provide to their DPO.

The ODPA's guidance references the guidance on the appointment of DPOs ("DPO Guidelines") issued by the EU's former advisory body (previously known as the Article 29 Working Party and now replaced by the European Data Protection Board ("EDPB")). The ODPA advises controllers and processors to take into account the terms of both the GDPR and the DPO Guidelines when assessing whether or not a DPO is required to be appointed. It also clarifies that small businesses in Guernsey are, as a general rule, unlikely to be undertaking large-scale processing unless they work with large databases of customers or other types of data subjects. Finally, the ODPA expects controllers and processors to review the scope and nature of processing periodically to ascertain whether or not their prior assessment remains valid or if there are sufficient factors to warrant appointing a DPO. All controllers and processors should document their decision-making and the outcome of such reviews.

In February 2026, the ODPA also prepared a dedicated DPO Zone on its website, which provides practical guidance, tools and resources to support Data Protection Officers and staff fulfilling equivalent responsibilities.

A central feature of the DPO Zone is the DSAR Manager, a structured spreadsheet tool designed to help organisations record, track and manage Data Subject Access Requests (DSARs) efficiently and consistently. The ODPA advises controllers to maintain detailed records of decisions taken during the DSAR process, supported by a clear filing structure and standardised naming conventions. Although the tool is not mandatory, it provides a useful way to evidence compliance, reinforce accountability, and maintain an audit trail of communications and key steps taken throughout the DSAR lifecycle.

Last modified 28 February 2026

A data controller will have the option to appoint a data protection officer. According to article 14 and following of Law on Cybersecurity and Personal Data Protection, the data protection officer must be a person qualified to perform such tasks. He must keep a list of the processing operations carried out which is immediately accessible to any person who requests it, and may not be subject to any sanction by his employer as a result of the performance of his duties.

The appointment of a data protection officer by the data controller must be notified to the authority responsible for personal data protection. This appointment must also be brought to the attention of the employer's staff representative bodies.

Last modified 20 December 2021

N/A.

Last modified 16 January 2025

Only Obligated Entities must appoint a data protection officer.

Last modified 10 February 2025

Currently, there is no legal requirement for data users to appoint a data protection officer in Hong Kong. However, the PCPD issued a best practice guide in February 2014 (which was further revised in March 2019) to advocate the development of a privacy management program and encourage data users to appoint or designate a responsible person to oversee the data users' compliance with the Ordinance. There is no specific requirement for a Hong Kong citizen or resident to hold this role. There is no specific enforcement action or penalty if a company does not appoint a data protection officer.

Last modified 8 March 2026

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 11 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Iceland regulation

Iceland did not extend the requirement to appoint a Data Protection Officer, cv. Article 37(4) of the GDPR.

The DPA defines a public authority or body in accordance with Article 1 of the Administrative Procedures Act no. 37/1993. The term public authority refers to all parties, institutions, committees, etc. which are governed by state and local government. According to the bill to the DPA, it is regarded desirable that companies entrusted with certain projects for the public interest designate a Data Protection Officer with regard to those projects. Such projects are for example in the field of public transport, road construction and energy utility.

The Data Protection Officer may not disclose any information brought to his or her knowledge in the course of his or her work and covered by the obligation of professional secrecy. Further, the Data Protection Officer has an obligation of confidentiality in accordance with Chapter X of the Icelandic Administrative Procedures Act no. 37/1993.

Last modified 16 January 2025

Under the DPDP Act, Data Fiduciaries are required to appoint a contact person to address any questions that a Data Principal may have about the processing of their personal data.

Significant Data Fiduciaries (as explained further in Collection and processing) are required to appoint a Data Protection Officer for the same purpose. The Data Protection Officer must be based in India and will be responsible to the board of directors or any similar governing body of the Data Fiduciary.

The Data Protection Officer will also be the point of contact for a Data Principal for the purpose of grievance redressal under the DPDP Act.

Pursuant to the DPDP Rules, every Data Fiduciary is required to publish on its website / app and in every response to a communication to a Data Principal for the exercise of their rights, the business contact information of the Data Protection Officer / the contact person to address any questions that the Data Principal may have, as the case may be.

Last modified 13 February 2026

There is no requirement in Indonesia for organizations to appoint a data protection officer ("DPO") except in certain situations mentioned below.

The PDP Law formally establishes the position of a data protection officer (DPO) into Indonesian law, which was nonexistent under the General Data Protection Regulations.

The PDP Law only requires data controllers and data processors to mandatorily appoint a DPO if:

the personal data processing is for public service purposes;
the main operations of the data controller require large-scale, frequent and systematic monitoring of personal data; or
the main operations of the data controller involve large-scale personal data processing of specific personal data and / or personal data related to criminal activity.

This DPO shall, at the very least, carry out the functions of:

informing and providing advice to data controllers or data processors regarding compliance with the PDP Law;
monitoring and ensuring compliance with the PDP Law and the internal policies of a data controller or data processor;
providing advice regarding the personal data protection impact assessment and monitoring the performance of data controllers or data processors; and
coordinating and acting as a contact person for issues related to personal data processing.

Further conditions on DPOs will be set out in separate a government regulation, which as at the time of writing is yet to be issued.

Last modified 13 February 2026

There is no requirement to appoint a data protection officer.

Last modified 23 May 2019

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Ireland regulation

Ireland has not yet extended the requirement to appoint a Data Protection Officer (“DPO”). However, Section 34 of the DP Act does provide the Minister for Justice and Equality with the power to make regulations requiring controllers or processors to designate a data protection officer.

In addition, the DP Act requires enhanced “suitable and specific” measures to be implemented in relation to certain processing activities. In such cases, the designation of a DPO (in cases where it is not mandatory under GDPR) is listed in section 36 of the DP Act as one example of such measures.

The DPC maintains a register of DPOs. No fee is charged for registering or updating the details of a DPO.

Last modified 17 January 2025

Appointment of a Data Security Officer is required by an entity meeting one of the following conditions:

a possessor of five databases that require registration;
a public body as defined in Section 23 to the PPL; or
a bank, an insurance company or a company engaging in rating or evaluating credit.

Failure to nominate a Data Security Officer when required to do so may result in criminal sanctions, including administrative fines. The PPL does not require that the Data Protection Officer should be an Israeli citizen or resident.

In the event that a Data Security Officer was appointed pursuant to the PPL, the Israel Protection of Privacy Regulations (Data Security), 5777-2017 ('Data Security Regs') require that the officer be directly subordinate to the database manager / controller, or to the manager of the entity that owns or holds the database. In addition, the Data Security Regs prohibit the officer from being in a conflict of interest and require the officer to establish data security protocols and ongoing plans to review compliance with the Data Security Regs. The officer must present findings from such review to the database manager / controller and its supervisor.

Amendment 13 added a requirement to appoint a Data Protection Officer under the following circumstances: (i) controller is a Public Body as defined in Section 23 of the PPL, (ii) controller of a database with a main purpose of collecting Personal Data in order to transfer it to a third party (data brokers) and the database contains Personal Data of more than 10,000 data subjects, (iii) controllers and processors whose main activities include processing which in light of its nature, scope or purpose require regular and systematic monitoring of data subjects on a Large Scale (as defined in Amendment 13), or (iv) controllers and processors of databases that include Especially Sensitive Data on a Large Scale (as defined in Amendment 13). Large Scale will be determined by, among other things, the number of data subjects whose Personal Data is processed, their proportion within a specific population, the scope and volume of the Personal Data, the variety of data types processed, the duration and frequency of the processing activities, the retention period of the Personal Data, and the geographical area where the processing occurs. The DPO must have the required expertise and abilities to carry out their responsibilities effectively, including in-depth knowledge in privacy protection laws, adequate understanding of technology and security information and the company's operations and goals. The DPO will not take on any additional roles nor be subordinate to any official within the body where they hold their position, or in any other body, if such a role or subordination could create a conflict of interest that would interfere with the performance of their duties. The DPO will report directly to the CEO or another senior executive and may be external to the company. The DPO will advise the company's management and staff on privacy-related issues, design and oversee a privacy training program, establish and maintain ongoing compliance monitoring, address data subject inquiries, and serve as the point of contact with the IPA.

Last modified 25 December 2024

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 16 January 2025

There is no specific legal requirement to appoint a data protection officer. However, some guidelines provide that specific directors or employees should be assigned to control Personal Information (e.g. Chief Privacy Officer).

Last modified 12 February 2026

Data controllers and processors are required (Article 24 DPJL) to appoint a data protection officer if:

Processing is carried out by a public authority (with the exception of courts acting in their judicial capacity)
The core activities of the controller or the processor consist of processing operations that, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale
The core activities of the controller or the processor consist of processing special category data on a large scale, or
It is otherwise required by law

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 24(3) DPJL). However, larger corporate groups may find it difficult in practice to operate with a single data protection officer. The data protection officer must be easily accessible to:

All data subjects
The Information Commissioner, and
The controller or processor who appointed the officer, along with the controller’s or processor’s employees that carry out data processing

Data protection officers (DPOs) must have expert knowledge (Article 24(6) DPJL) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 24(7) DPJL).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 25(1) DPJL), and the DPO must directly report to the highest management level of the controller or processor (Article 25(2) DPJL).

In addition, controllers and processers must:

Ensure that the data protection officer operates independently and does not receive any instructions regarding the performance of those duties, other than to perform them to the best of the officer’s ability and in a professional and competent manner (Article 25(1)(c) DPJL), and
Not dismiss or penalize the data protection officer for performing his or her duties other than for failing to perform them to the best of the officer's ability and in a professional and competent manner (Article 25(1)(d) DPJL)

The specific tasks of the DPO are set out in Article 26 DPJL and include:

Informing and advising on compliance with the DPJL, DPAJL and other applicable data protection laws
Monitoring compliance with the law and with the internal policies of the organization, including assigning responsibilities, raising awareness and training staff
Advising on and monitoring data protection impact assessments, where requested, and
Cooperating and acting as point of contact with the Information Commissioner

Last modified 16 January 2025

The Data Protection Officer is the appointed natural person overseeing databases and processing in accordance with the provisions of the law.

According to Article (11) of the Law:

The Controller shall appoint a Data Protection Officer in the following cases:

- If the primary activity of the Controller involves processing Personal Data.
- When Processing Sensitive Personal Data.
- When Processing Data of individuals who lack legal capacity.
- When Processing Data that includes financial information.
- When transferring to databases outside the Kingdom.
- In any other case determined by the Council requiring the Controller to appoint a Data Protection Officer.
The Data Protection Officer shall assume the following tasks and responsibilities:
- Monitoring the procedures put in place by the Controller related to Data protection and documenting their compliance with the provisions of this law and related legislations.
- Ensuring the execution of periodic assessments and reviews of database systems, data processing systems, and systems for maintaining the security, safety, and protection of data, and documenting the assessment results and issuing necessary recommendations for data protection, and monitoring the implementation of these recommendations.
- Acting as a direct liaison with the Unit and other security and judicial authorities regarding compliance with the provisions of the law.
- Developing internal instructions for receiving and studying complaints, Data access requests, requests for correction, erasure, hiding, or transfer of Data, and ensuring that such access is provided to the Data Subject in accordance with the provisions of the Law.
- Enabling the Data Subject to exercise their rights as provided in this law.
- Organising necessary training programs for the staff of the Controller and Processors to equip them to handle Data in line with the requirements of this law and the regulations and instructions issued accordingly.
- Any other tasks or responsibilities assigned to the Data Protection Officer in accordance with the provisions of the law and the regulation and instructions issued pursuant to it.

Last modified 8 February 2026

Under Kazakh law, an owner and / or operator of a personal data database, which is a legal entity, should appoint a person responsible for organizing the processing of personal data. Such person is obliged to:

exercise internal control over observance by the owner and / or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
inform the employees of an owner and / or operator of the provisions of Kazakh law in respect of processing and protection of personal data;
exercise control over receipt and processing of applications from personal data subjects or their legal representatives.

In addition, an owner and / or operator of a database containing personal data and a third party related to the owner and / or operator should, inter alia, when collecting and processing personal data, determine list of persons carrying out collection and processing of personal data or having access to it.

Last modified 13 February 2026

The Act makes provisions for the designation of Data Protection Officers (DPOs), but this obligation is not mandatory. (Section 24 of the Act).

DPOs can be members of staff and may perform other roles in addition to their roles. A group of entities can share a DPO.

The contact details of the DPO must be published on the organisation’s website and communicated to the ODPC.

DPOs have the following roles:

advising the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law;
ensuring compliance with the Act;
facilitating capacity building of staff involved in data processing operations;
providing advice on data protection impact assessments; and
co-operating with the DPC and any other authority on matters relating to data protection.

Under the Regulations, DPOs also have the following additional roles:

monitoring and evaluating the efficiency of the data systems in the organization; and
keeping written records of the processing activities of the civil registration entity.

Last modified 23 March 2026

Controllers and Processors must appoint a data protection officer in the following cases (Article 37 (1)):

The processing is carried out by a public authority or body, except in cases of courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and / or their purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or the processor consist of processing, on a large scale, of sensitive personal data, and processing of personal data related to criminal convictions and offences.

A group of undertakings has the option to appoint a joint data protection officer, provided that the officer remains easily accessible to every entity within the group (Article 37.2). The appointment of a data protection officer is based on their professional knowledge and experience in data protection laws (Article 37.5).

The LPPD outlines the following tasks for data protection officers (Article 39.1):

Informs and advice controllers and / or processors on their obligations when processing personal data;
Where required, provides advice on the data protection impact assessment and monitor its performance;
Cooperate with IPA;
Act as the contact point for the IPA on issues relating to processing of personal data.

Last modified 4 February 2025

The Data Protection Regulation does not explicitly outline the mechanisms and obligations for the appointment of data protection officers, per se. However, service providers must provide CITRA with the contact details of their appointed data protection officer when reporting data breaches.

Last modified 4 February 2025

Under the Law on Personal Data, Holders (Owners) of personal data (ie the data controller) must indicate in its registration the name and contact details of the person that is responsible for the work with personal data. However, the Law on Personal Data does not contain any direct obligations to appoint a Data Protection Officer.

Last modified 4 February 2025

Under the Law on Electronic Data Protection, there is no concept of a data protection officer so to speak. The law introduces the idea that a team or an employee is required to supervise the protection of sensitive data; but no information is provided on the duties and rights of such team or employee, or their scope of work. Moreover, the team or employee in charge of the protection of sensitive data is not required to register with any authority.

Last modified 27 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale, or
Its core activities consist of processing sensitive personal data on a large scale.

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Latvia regulation

The Personal Data Processing Law provides no derogation from the requirements of the GDPR regarding DPO. The Personal Data Processing Law provides the rules for examining an individual’s knowledge in data protection and obtaining the status of DPO. The Personal Data Processing Law allows data controllers and processors to appoint as a DPO any person who has the qualifications under the requirements of the GDPR.

The October 6, 2020 Cabinet Regulation No 620 “Data Protection Specialist Qualification Regulation” (Regulation No 620) determines in detail the application procedure, the content and procedure of the qualification examination and payment procedures for organizing the qualification exam. However, the qualification examination is not mandatory.

The Regulation No 620 does not set mandatory education requirements. A person who wishes to take the qualification exam, applies the Data State Inspectorate and pays the examination fee. After the person has passed the qualification exam, they are included in the list of the qualified DPOs maintained by the Data State Inspectorate and published on its website.

Regulation No 620 also provides for the maintenance of professional qualifications for DPOs who already have been included in DPOs' list. To maintain their professional qualifications, the DPOs must participate in the training in personal data protection or another field related to the performance of the DPO's duties.

Last modified 4 February 2025

The Law brings no definition of data protection officer.

Last modified 21 December 2022

The DP Act (section 58) authorizes the head of a data controller to designate, by order, one or more officers or employees to be Data Protection Officers of that controller. In terms of that order, the Data Protection Officers may exercise, discharge or perform any of the power, duties or functions of the head of the data controller under this Act.

Last modified 16 March 2026

There is no known or publicly designated Protection Officer, or Officers in Liberia. In the same vein, there is no law requiring the appointment or creation of such posts whether in public or private entities dealing with data.

Last modified 23 February 2024

There is no data protection officer requirement as per Libyan Law.

Last modified 18 January 2024

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Lithuania regulation

The Data Protection Law does not determine any derogations from the requirements which are set in the GDPR regarding data protection officers.

Last modified 3 February 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Luxembourg regulation

Article 65(1) of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides for a specific obligation to appoint a DPO in the context of processing of personal data for scientific or historical research purposes or statistical purposes. Such appointment must be made in accordance with the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of the relevant data subjects. In this regard, if the data controller elects not to appoint a DPO, it must then formally document and justify why it chose not to appoint a DPO, for each project involving a processing of personal data for scientific or historical research purposes or statistical purposes.

Article 64 of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides that the same applies to processing of special categories of personal data for the purposes defined in Article 9(2)(j) GDPR (ie, processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

Last modified 4 February 2025

There is no legal requirement to appoint a data protection officer in Macau.

Last modified 4 February 2026

The Data Protection Law does require the appointment of a data protection officer (délégué à la protection des données à caractère personnel) in Madagascar provided that the CMIL is operational because the appointed data protection officer (“DPO”) should be notified to the CMIL.

The appointment of a DPO exempts an entity from making prior declarations to the CMIL.

The appointment of a DPO does not exempt an entity from requesting prior authorisation, where necessary (for example where there is a transfer of data to a country that does not provide an adequate level of protection for personal data).

The DPO must be a resident of Madagascar.

Last modified 4 February 2025

Under the Amendment Act to PDPA, the data controller or data processor is required to appoint one or more DPO who shall be accountable to the data controller or data processor for the compliance with the PDPA. Such appointment will not discharge the data controller or data processor from all their duties and functions under the PDPA. This requirement has come into force on June 01, 2025.

The DPO Guidelines, provides that according to the Circular of Personal Data Protection Commissioner No. 01/2025 (Appointment of Data Protection Officer), the mandatory DPO appointment requirement applies only to data controllers or data processors where their processing of personal data involves:

Personal data exceeding 20,000 data subjects;
Sensitive personal data including financial information data exceeding 10,000 data subjects; or
Involves activities that require regular and systematic monitoring of personal data.

Although the DPO Guidelines provides there is no minimum professional qualification required to being appointed as a DPO, they are required to demonstrate the following skills, qualities and expertise at a sound level:

Knowledge on PDPA and requirements of data protection laws in the country;
Understanding of the data controller or data processor’s business operations and the personal data processing operations that are carried out;
Understanding of information technology and data security;
Personal qualities such as integrity, understanding of corporate governance and high professional ethics; an
Ability to promote data protection culture within the organisation.

To complement the DPO Guidelines, the DPO Competency Guideline was issued which outlines the core competencies expected, and the knowledge, skills and abilities expected of the DPO in those competencies to provide risk-based guidance to companies on appointing their DPO. Whereas the DPO Development Roadmap sets out a prospective development pathway and training roadmap to support the appointed DPOs. The DPO Training Provider Guidelines also provides a prospective framework to formally recognise and exercise oversight on training providers.

A DPO is allowed to carry out additional job functions beyond their data-specific roles as a DPO, provided it does not cause a conflict of interest. Additionally, it is also essential to note that a single DPO is allowed to serve multiple entities, provided the DPO is easily accessible to these entities receiving the DPO’s service. Hence, a data controller or data processer may appoint the DPO from existing employees or through an outsourcing service. To ensure responsiveness and accessibility, it is required the DPO shall be:

Resident in Malaysia; or
Easily contactable via any means; or
Proficient in Bahasa Melayu (the local language) and English language

The data controller or data processor who is required to appoint a DPO is required to register their appointed DPO by providing a notification to the Commissioner.

The DPO’s contact information shall be published at least on the official website or other official media of the data controller or data processor, in the personal data protection notice and/or in the security policies and guidelines.

Last modified 12 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Malta regulation

The Act does not derogate or further regulate from the provisions of the GDPR in this regard.

However, DPOs must be notified to the Commissioner (where Commissioner has jurisdiction) by sending, even via email, the following basic information:

Data Controller identity
name of DPO
position
mailing address
email address
contact number
nature of business
date of appointment, and
whether the DPO is fulfilling this role for other data controllers.

Last modified 12 February 2026

The DPA 2017 provides that every controller shall adopt policies and implement appropriate technical and organizational measures so as to ensure and be able to demonstrate that the processing of personal data is performed in accordance with the Act.

One of such measures is the mandatory requirement for the designation of a data protection officer (DPO) by all controllers and processors.

There can be one DPO for a group of companies, provided he is accessible for each company within the group.

The DPO can be an employee of the controller / processor, provided that there is no conflict of interest (if such position leads to the determination of purposes and means of processing) such as in the case of a chief executive, chief operating, chief financial, chief medical, head of marketing, head of human resource or head of IT.

The DPO can also be someone from outside the organisation.

The DPO needs to have professional experience and knowledge of data protection laws and standards.

The controller / processor is required to ensure that the DPO does not receive any instructions regarding the exercise of his functions-he should work in an independent environment and manner.

Role of DPO

The role of the DPO is to:

advise the controller / processor and its employees about their obligations to comply with data protection laws and monitor compliance;
train staff and conduct internal audits;
advise on DPIAs;
maintain a record of processing operations under his responsibility;
be the first point of contact for the Data Protection Office and for individuals whose data are processed (employees, customers).

DPOs are not personally responsible for non-compliance with data protection requirements. Data protection compliance is the responsibility of the controller / processor.

Last modified 16 March 2026

All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.

Last modified 28 January 2024

The appointment of an internal data protection officer is required, in the following cases:

the processing is carried out by a public authority or institution, with the exception of courts acting in their judicial capacity;
the main activities of the Data Controller or data processors consist of processing operations which, by virtue of their nature, their scope and / or their purposes, necessitate regular and systematic monitoring of data subjects on a large scale; and
the main activities of the Data Controller or data processor consist of large-scale processing of special categories of data.

Last modified 13 February 2026

There is no requirement in Monaco for organizations to appoint a data protection officer.

However, appointing a data protection officer is viewed by the CCIN as evidence of a company’s measure taken in order to ensure compliance with the data protection legislation. In practice however, companies in Monaco do not generally appoint data protection officers.

When appointed in these companies, he is usually responsible for informing and advising the members of the entity on the legal obligations regarding data processing and for cooperating with the CCIN.

Last modified 6 February 2025

Data Controllers must have a unit or personnel in charge with the information and data security. The Data Protection Law provides that Data Controllers and any person who processes the data must adopt internal rules and regulations on:

maintenance of information security; and
measures to be taken in case of data loss and a plan to deliver information to the Data Owner and the relevant state authority.

In this regard, organisations, as a Data Controller and processor, may appoint a data protection officer of their own volition.

Last modified 20 March 2026

Under the DP Law, a data controller is required to appoint a DPO subsequent to the Database's establishment. However, a DPO is not required if the data controller has less than ten employees involved in the processing of personal data.

Last modified 13 February 2026

There is no requirement for a data protection officer under the DP Law.

Last modified 20 March 2026

The Electronic Transactions Law requires the data processor to appoint someone responsible for compliance of the provisions related to electronic personal data protection.

Last modified 17 February 2026

There is no definition for Data Protection Officers, but there is a definition for Personal Data Administrator. The Personal Data Administrator (“PDA”) means “a person and its staff authorized by a government department or an entity having power to conduct the collecting, storing and using of personal data according to the provision of this law or any existing law.” (Section 2(m) of Electronic Transactions Law as amended in 2021).

Last modified 11 February 2026

MICT

Last modified 20 March 2026

Not applicable.

Last modified 20 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Netherlands regulation

The Implementation Act (Article 39) provides more detailed information regarding the secrecy requirement set out in Article 38(5) GDPR, by stipulating that the DPO must maintain the secrecy of any information that becomes known to him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.

Organisations must register their DPO with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The registration form is available here.

A special email address and phone number is available for registered DPOs to contact the Dutch Data Protection Authority in case of questions with regard to the tasks of DPOs and GDPR compliance.

The contact details are as follows:

Email address: [email protected]

Phone number: (+31) (0)70-8888660

Last modified 18 January 2024

The Act requires each agency to appoint one or more individuals to be a privacy officer. The privacy officer may be within or external to the agency (i.e. the privacy officer role may be outsourced to a third party) and does not need to be a New Zealand citizen or reside in New Zealand.

The privacy officer's responsibilities include the following:

The encouragement of compliance with the personal IPP contained in the Act;
Dealing with requests made to the agency pursuant to the Act;
Working with the Privacy Commissioner in relation to investigations relating to the agency; and
Ensuring compliance with the provisions of the Act.

Last modified 13 February 2026

Any officer responsible for the Data File of each organisation must register in the Data Files Registry that the Personal Data Protection Directorate enables for this purpose.

We must reiterate that this obligation cannot be materially fulfil as the Personal Data Protection Directorate has not been formally incorporated.

Last modified 28 January 2024

There is no provision in the law relating to the appointment of a data protection officer.

However, Article 79 of the Law n°2022-59 of December 16, 2022 relating to the protection of personal data pertains to the designation of the personal data protection correspondent, which is defined in Article 1 as the person designated by the company carrying out the processing of personal data, to whom data subjects or interested persons may address any queries.

Article 79 of the aforementioned Law continues to state that the correspondent must possess the required qualifications to carry out their duties and be able to make a list of processing activities immediately accessible for any person requesting the same. The correspondent is exempt from any sanction on the part of the employer resulting from the carrying out of their duties.

Furthermore, the data controller's designation of a correspondent must be notified to the HAPDP and, in the event of failures to carry out their duties, may be discharged by request, or after consultation, from the HAPDP.

Last modified 6 January 2025

The Nigerian Data Protection Act 2023 requires Data Controllers of Major Importance to designate a Data Protection Officer (DPO) who will be responsible for ensuring internal compliance with the Act, other applicable data protection directives, and serving as a point of contact between the Data Controller and the regulatory body (Nigeria Data Protection Commission). The Data Protection Officer may be an employee of a Data Controller or engaged by a service contract.

Last modified 17 March 2026

Under the DP Law, data controllers and data processors are obliged to appoint a DPO in certain cases, i.e. when:

processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
core activities of the data controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
core activities of the data controller/processor consist of processing on a large scale of special categories of personal data and personal data relating to criminal convictions and offences.

Data protection officers must:

inform and advise the data controller or data processor and employees who process data about their duties in accordance with the DP Law;
monitor compliance with the DP Law, with other national laws and with the policies of the controller/processor;
increase awareness of data protection practices;
provide advice on Data Protection Impact Assessment;
collaborate with the DPA;
act as a contact for the DPA regarding the adequate collection and processing of personal data and perform other prescribed tasks.

Last modified 9 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Norway regulation

The government may issue further regulations as regards the duty to appoint a DPO. No such regulations have been issued yet.

Last modified 16 January 2025

There is currently no law in force which makes mandatory the appointment of a Data Protection Officer. Alternatively, PECA 2016 provides for the establishment of an investigation agency under section 29, whose “authorized officers” are granted powers of investigation and cognizance, which may be similar to that of a data protection officer in some capacities. The investigation agency under this provision of PECA 2016 is the Federal Investigation Agency (FIA), authorized through rule 3 of the Prevention of Electronic Crimes Investigation Rules, 2018.

However, the PDPB, which is yet to be promulgated into law, recognizes the existence and role of a Data Protection Officer, which shall be determined by the Commission.

Last modified 17 March 2026

Appointment of a data protection officer is optional under the Data Protection Law for private companies, but required for governmental entities. According to Rule No. 1-2022, banks established in the Republic of Panama are also required to appoint a data protection officer. Additionally, Insurance Regulation 5-25 established that all insurance and reinsurance sector entities are also required to appoint a data protection officer.

Last modified 12 February 2026

Under current legislation, the appointment of Data Protection Officers is not required.

Last modified 30 March 2026

The New Regulation introduces the requirement to appoint a Data Protection Officer ('DPO') under certain circumstances. This requirement applies to Data Controllers and Data Processors who either:

Are public entities
Process large volumes of Personal Data, in terms of quantity or the nature of the data processed, or
Carry out data processing activities that involve the processing of:
- Pesonal Data relating to a large number of data subjects,
- Sensitive Personal Data as part of the entity's core activity or main line of business, or
- Personal Data whose processing may result in evident prejudice to the fundamental rights or freedoms of data subjects

Compliance with this obligation is subject to staggered grace periods, ranging from November 30, 2025 to November 30, 2028, depending on the entity’s annual revenue, as follows:

Company Type / Size	Annual Revenue	Grace Period
Large	Over S/ 12’650,000 (approx. USD 3’756,050).	November 30, 2025
Medium	Over S/ 9’350.000 (approx. USD 2’777,000.00) and up to S/ 12’650,000 (approx. USD 3’756,050).	November 30, 2026
Small	Over S/ 825,000 (approx. USD 245,000.00) and up to S/ 9’350.000 (approx. USD 2’777,000.00).	November 30, 2027
Micro	Up to S/ 825,000 (approx. USD 245,000.00).	November 30, 2028

In this regard, on December 31, 2025, through Directorial Resolution No. 100-2025-JUS-DGTAIPD, the authority published the Directive establishing provisions on the designation, performance, and functions of the DPO ('Directive').

According to the Directive, the individual appointed as DPO must meet the following requirements:

Have at least two (2) years of general professional experience in functions related to personal data protection or related fields, such as information security, cybersecurity, digital governance, artificial intelligence, or other activities related to the processing of personal data.
Have at least one (1) year of specific experience in activities directly related to personal data protection, at a national or international level, in either the public or private sector.
Possess duly accredited knowledge of personal data protection. Such knowledge may be evidenced through proven and continuous experience in university teaching or research in the field, completed postgraduate studies or academic degrees, or certifications and/or diplomas in personal data protection or related matters, in accordance with the criteria set out in the Directive.
Demonstrate moral and ethical integrity, which includes not having a final criminal conviction for intentional crimes, being subject to a formal criminal investigation, or having been convicted of computer-related crimes, among other circumstances set out in the Directive.

Additionally, the DPO must:

Act with functional independence in the performance of their duties, meaning that they may not be instructed or directed regarding the substance of their opinions, recommendations, or technical decisions.
Be familiar with the internal regulations, directives, and guidelines governing the company’s data protection management framework.
Have knowledge of the sector in which the company operates, as well as the regulations and obligations that directly or indirectly affect personal data processing activities.

The key responsibilities of the DPO include:

Informing and advising on the obligations established under personal data protection regulations.
Monitoring and reporting on compliance with applicable laws and with the policies of the data controller or data processor, including the allocation of responsibilities, awareness-raising and training of personnel involved in processing activities, and the performance of audits.
Cooperating with the NDPA in the exercise of its functions and powers.
Acting as the primary point of contact with the NDPA on matters related to the processing of personal data.

The DPO may be either internal or external to the company. The appointment of the DPO must be notified to the NDPA within 15 business days following the designation. Likewise, the identification and contact details of the DPO must be made available to data subjects.

Last modified 10 February 2026

The PIC of an organization must appoint a person or persons who shall be accountable for the organization’s compliance with the Act, and the identity of such person or persons must be disclosed to the data subjects upon the latter’s request. The implementing rules and regulations of the Act likewise require any natural or juridical person or other body involved in the processing of personal data to designate an individual or individuals who shall function as DPO, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security. The Act does not specifically provide for the citizenship and residency of the DPO. The Act likewise does not specifically provide for penalties relating to the incorrect appointment of DPOs.

The NPC has published guidelines on the designation of the DPO.

Last modified 16 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority;
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale;
Its core activities consist of processing sensitive personal data on a large scale.

DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws;
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
To advise and monitor data protection impact assessments where requested;
To cooperate and act as point of contact with the supervisory authority.

Poland regulation

According to the PDPA, the appointment of a Data Protection Officer ("DPO") must be notified to the supervisory authority within 14 days. The notification should include the name and email address of the DPO or his or her phone number. Any changes to the information provided or the dismissal of a DPO should also be notified within 14 days. The entity who appointed the DPO shall make available the DPO's details on its website or in a generally accessible manner at a place of pursuit of activity (if it does not have its own website). According to official guidance from the Polish DPA, the contact details of the DPO should be easily accessible, not hidden somewhere in long documents such as a privacy policy etc.

The Implementing act includes the possibility to designate a person to replace the DPO during their absence (e.g. temporary absence). However, it would be necessary to inform the Polish DPA about the designation in the same way as about the designation of a DPO. All rules and requirements for DPOs, such as the ones stated in article 37 of the GDPR or the obligation to inform the Polish DPA are also applicable to this person.

If the data controller is obliged to appoint a DPO in accordance with Article 37 of the GDPR but did not appoint one under the previous PDPA, the appointment of the DPO should have taken place and been notified to the President of the Office before July 31, 2018.

The guidelines of the Polish DPA clearly emphasise the strong independence of the DPO. To support this, the DPO should report directly to the highest management level, ensuring an authoritative position and efficient reporting lines, which is essential when quick corrective action is required.

Additional safeguards include a ban on issuing instructions to the DPO, avoiding conflicts of interest and prohibiting dismissal or penalisation for performing their duties. DPOs should also be involved in all matters related to data protection, including incidents and data breaches, and must be informed of any breach without delay so they can monitor the response process from the earliest stage.

However, DPOs cannot perform tasks that fall exclusively within the responsibility of controllers or processors. In practice, to preserve their independence, they should refrain among others from submitting breach notifications to the Polish DPA on behalf of the controller, notifying data subjects of breaches, documenting breaches in a way that involves determining purposes, means or remedial measures, or making any commitments regarding data security on behalf of the controller or processor.

Last modified 16 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Portugal regulation

In accordance with Law no 58/2019 of 8 August, the appointment of a Data Protection Officer (DPO) shall follow the requirements provided in article 37 (5) of GDPR. No professional certification is required and the DPO is bound by professional secrecy. In addition to the functions described in GDPR, DPO’s shall ensure the conduction of audits, inform the users of the importance of data breaches detection and ensure the relation with the data subjects in relation to matters covered by GDPR and data protection national laws.

For the purposes of the mandatory notification of the data protection officer to the supervisory authority, in the context of Article 37 (7) of the GDPR, the supervisory authority established the applicable procedure for notification. A specific form made available by the supervisory authority on its website should be completed and submitted online (the form is available here).

Last modified 12 February 2026

There is currently no obligation for organizations in Qatar to appoint a data protection officer. There is an obligation on the data controller to specify processors responsible for protecting personal data, train them appropriately on the protection of personal data and raise their awareness in relation to protecting personal data.

Last modified 17 January 2024

There is no requirement under the DPL or the DPR for organizations to appoint a data protection officer. Though note the general obligation of a data controller to implement appropriate technical and organizational measures to protect personal data, as further detailed below (see Security). It is however recommended that organizations that operates on a large scale or carries out regular and systematic monitoring of individuals appoint an individual responsible for overseeing the data controller’s compliance with data protection requirements.

Last modified 17 January 2024

A data protection officer (délégué à la protection des données) needs to be appointed when the data procession is done by:

a public entity;
the nature of the data processing because of its nature, purpose or nature require a regular and systematic follow-up; or
when the data processing is on a large scale for particular data.

Last modified 4 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following tests:

It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities, provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have expert knowledge of data protection law and practices, though it is possible to outsource the DPO role to a service provider.

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data," and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks.

The specific tasks of the DPO, set out in GDPR, include:

To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority

Romania regulation

In addition to the requirements provided by the GDPR in Articles 37 to 39, Law no. 190/2018 provides that a data protection officer (DPO) must be designated whenever the entity acting as controller is processing a national identification number, including by collecting or disclosing any documents enclosing such national identification number, when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, in accordance with the provisions of Article 6 paragraph 1 letter (f) of the GDPR.

Last modified 6 January 2025

If the data controller is a legal entity, it is required to appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer oversees compliance by the data controller and its employees regarding the data protection issues, informs them of statutory requirements and organises the receiving and processing of communications from data subjects.

There are no legal restrictions as to whether the data protection officer should be a citizen or resident of the Russian Federation, however, it is adviseable that the data protection officer is available in case there is an inspection or other communication from the authorities.

Non-appointment or improper appointment of the data protection officer is a violation of the data protection regime and may result in the imposition of penalties and enforcement protocols, as described below.

Last modified 6 January 2025

The Data Protection Law requires that the DC and DP designate a data protection officer in the following cases (article 40):

the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
the core activities of the DC or the DP consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
the core activities of the DC or the DP consist of processing on a large scale of sensitive personal data and personal data of convicts in accordance with the Data Protection Law’s requirements for the process of such data.

Last modified 6 January 2025

The PDPL clarifies when a data controller must appoint a data protection officer. This includes where the data controller is a public entity that provides services involving the processing of personal data on a large scale, where the primary activities of the data controller consist of processing operations that require regular and continuous monitoring of individual also on a large scale, and where the core activities of the data controller consist of processing sensitive data.

Last modified 6 January 2025

The appointment of a Data Protection Officers (DPO) is left to the exclusive discretion of the data controllers regarding businesses.

However, the Act provides that department responsible for carrying out the processing and the categories of persons who, by reason of their duties or for the needs of the department, have direct access to the recorded data as well as the function of the person or department with whom the right of access to its processed data is exercised shall be communicated to the CPD. (Article 22 of the Act)

Additionally, the CDP is however available to assist businesses regarding the training of their DPO on data protection law and regulations.

Regarding ministries, the appointment of data focal points of the CDP ("Points focaux") is required in each ministry for the purposes of the census and declaration of files and databases according to Directive No. 2757 of June 24, 2014, designating focal points of the CDP within the ministries regarding the census of files relating to personal data.

Last modified 19 March 2026

According to the DP Law, controllers and processors are required to designate a data protection officer (“DPO”), whose primary task is to ensure compliance with the data processing law and regulations and to communicate with the DPA and the data subjects on all data protection matters. Similar to the GDPR, this obligation applies if the following criteria are met:

The processing is carried out by a public authority (with the exception of a court performing its judiciary authorizations).
The core activities of the controller / processor require the regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of special categories of personal data — eg, health data or trade union memberships, or criminal convictions / offences data.

The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group of companies may appoint a single DPO, provided that he is equally accessible to each company.

Controllers and processors are required to ensure the DPO’s independence in the performance of his tasks. This means the following:

No instructions may be given to the DPO.
The DPO must report directly to the manager of the controller / processor.
The DPO may not be dismissed or penalized for performing his or her tasks.

Last modified 13 February 2026

Pursuant to Section 45 of the Act, a data controller or processor must designate a DPO where:

the core activities involve regular and systematic monitoring of data subjects on a large scale, or
the core activities involve large-scale processing of special categories of personal data.

The DPO functions as:

an internal compliance officer responsible for overseeing adherence to the Act; and
a point of contact and liaison with the Information Commission

Last modified 16 March 2026

It is mandatory for each organization to appoint one or more DPOs to be responsible for ensuring the organization’s compliance with the Act. An organization may appoint one person or a team of persons to be its DPO. Once appointed, the DPO may in turn delegate certain responsibilities, including to non-employees of the organization. The business contact information of the DPO must be made available to the public.

While there is no requirement for the DPO to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable from Singapore, available during Singapore business hours and, where telephone numbers are provided, these should be Singapore telephone numbers.

Failure to appoint a DPO may lead to a preliminary investigation by the Commission. If an organization or an individual fails to cooperate with the investigation, this will constitute an offence. As a result, an individual may be subject to a fine of up to SGD 10,000 or imprisonment for a term not exceeding 12 months, or to both. An organization may be subject to a fine of up to SGD 100,000.

Last modified 27 February 2026

National Ordinance Personal Data Protection

GDPR

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Last modified 10 February 2025

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested;
to cooperate and act as point of contact with the supervisory authority; and
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

Slovak Republic regulation

There is an online form on the website of the Slovak Office which should be completed in order to notify the supervisory authority of the appointment of a DPO.

Last modified 6 January 2025

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

It is a public authority;
Its core activities consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systemic monitoring of data subjects on a large scale; or
Its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities (Article 37(2) GDPR), provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have "expert knowledge" (Article 37(5) GDPR) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6) GDPR).

It should be noted that ZVOP-2 provides for two other requirements for appointment of DPOs, namely: (a) legal capacity and (b) that the person has not been sentenced to a minimum term of imprisonment of six months or has not been the subject of a final conviction for a criminal offence relating to the misuse of personal data. Additional conditions also vary depending on whether the DPO works in a public authority, public sector (other than public authority) or in the private sector.

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1) GDPR), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3) GDPR).

The specific tasks of the DPO, set out in GDPR, include (Article 39 GDPR):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

In accordance with Article 48 ZVOP-2, DPO performs tasks listed in Article 39 GDPR, and specifically, provides advice on risk assessments regarding the security of personal data related to all processing of personal data in databases which is carried out by the controller or processor to whom they are assigned.

Last modified 10 February 2026

Data protection officers (referred to in POPIA as "information officers") must be registered with the Information Regulator. The duties and responsibilities of a responsible party's information officer are set forth in POPIA and include encouraging and ensuring compliance with POPIA; dealing with any requests made to that responsible party in terms of POPIA; and working with the Information Regulator in respect of investigations by the Information Regulator in relation to that responsible party. The Regulations to POPIA, among other things, further provide that the information officer must ensure that a compliance framework is developed, implemented, monitored and maintained, and that a personal information impact assessment is conducted to ensure that adequate measures and standards for the protection of personal information exist.

Last modified 16 February 2026

Under PIPA, every personal data controller (which means any person, any government entity, company, individual or other person that, directly or through a third party, controls and / or processes personal information in order to operate personal information files as part of its activities) must designate a chief privacy officer (“CPO”). The CPO must be an employee or executive of the company.

In addition, personal data controllers that meet certain criteria are required to designate a CPO with:

at least three years of experience in personal information protection; and
a combined career of at least six years in personal information protection, data protection and information technology.

More specifically, the obligation to designate a CPO with the foregoing qualifications is applicable to an entity whose annual sales revenue or income amounts to at least KRW 150 billion, and:

processes sensitive information or unique identification information of at least 50,000 data subjects, or processes personal information of at least 1 million data subjects;
is a school under the Higher Education Act with at least 10,000 enrolled students as of December 31 of the immediately preceding year;
is a tertiary hospital under the Medical Service Act; or
is a public institution operating a personal information processing system which meets the standards set by the PIPC.

There are no nationality or residency requirements for the CPO.

If a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA.

The recently amended PIPA mandates that personal data controllers meeting certain thresholds – to be specified in the forthcoming Presidential Decree currently undergoing the legislative process – must obtain approval from the Board of Directors for the appointment, change or dismissal of a CPO, and formally report such designation to the PIPC.

Furthermore, to establish a continuous and robust personal information safety management system, the CPO’s role has been significantly strengthened. The CPO’s obligations under the amended PIPA are as follows:

establishing and implementing plans for the protection of personal information;
managing specialized personnel and securing necessary budgets for the protection of personal information;
reporting the current status and key matters of personal information protection to the business owner, representative and the Board of Directors;
performing periodic investigations and improving the status and practices of the processing of personal information;
handling complaints and dealing with damage pertaining to the processing of personal information;
establishing internal control systems for preventing leakage, misuse and abuse of personal information;
establishing and implementing training sessions for the protection of personal information;
protecting, managing, and monitoring personal information files;
establishing, amending, and implementing a privacy policy;
managing materials concerning the protection of personal information; and
destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.

Last modified 20 March 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely.

Spain regulation

The NLOPD includes a lengthy list of organisations and companies that are required to appoint a DPO. Accordingly, insurance or reinsurance companies, financial credit institutions, educational institutions, electric and natural gas distributors, and advertising and marketing companies, among others, are required to appoint a DPO. The NLOPD also allows organisations and companies to voluntarily appoint a DPO. Please note that, in either case, the appointment of the DPO must also be communicated to the AEPD using the AEPD online facilities.

Last modified 6 January 2025

The PDPA requires controllers and processors which are not public authorities to appoint a Data Protection Officer (“DPO”) where their core activities consist of:

processing operations that require regular and systematic monitoring of data subjects on a prescribed scale or magnitude;
processing special categories of personal data on a prescribed scale or magnitude; or
processing which results in a risk of harm affecting the rights of the data subjects protected under the PDPA as may be determined by the Authority by way of guidelines made under the PDPA.

The Authority has published the draft Personal Data Protection (Scale or Magnitude of Processing and Qualifications of Data Protection Officer) Regulations ("DPO Regulations"), for public consultation. These DPO Regulations are still in draft form and were published prior to Amendment Act coming into force. Therefore, they may be subject to change.

However, it may be noted that the DPO Regulations provide that the aforesaid scale and magnitude of processing ought to be assessed by taking into consideration the following:

whether the processing currently involves or is estimated to involve within the next twelve months, twenty-five thousand or more data subjects;
whether the processing is carried out by twenty or more persons;
the volume of personal data being processed;
the range of different data items being processed;
the geographical extent of the monitoring;
the frequency, nature and purpose of the monitoring; and
the duration or permanence of the monitoring.

A DPO is defined in the PDPA to include a third party who is not directly employed by a controller or processor, but fulfils the responsibilities of a DPO, allowing controllers and processors to outsource the function of the DPO.

The PDPA also permits a group of entities to appoint a single DPO provided, however, such DPO is easily accessible by all of the group entities. Such DPO is required to be a competent individual possessing academic and professional qualifications in matters relating to data protection.

The DPO Regulations prescribe that the DPO must possess:

a degree in law, public or business administration, information technology, information security, computer science, or a related field (each academic or professional qualification has to be one recognized in Sri Lanka); and
a good understanding of data protection laws and regulations of Sri Lanka.

The specific responsibilities of the DPO as per the PDPA includes:

advising controllers or processers on data processing obligations or requirements;
advising the controller or processor on complying with the provisions of the PDPA;
facilitating capacity building of staff engaging in data processing operations;
advising on personal data protection impact assessments; and
co-operating and complying with all directives and instructions issued by the Authority.

Last modified 17 February 2026

EU regulation

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must report directly to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Sweden regulation

There are no derogations in domestic Swedish law, except that under the Data Protection Act, a DPO performing tasks under to Article 37 GDPR shall not unauthorisedly disclose what has come to their knowledge in the performance of their tasks. Furthermore, the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslag (2009:400)) applies in relation to the confidentiality obligation of a DPO within the public sector.

Last modified 13 February 2026

There is no requirement to appoint a data protection officer (DPO).

However, controllers have the option to appoint a DPO as a contact point for the data subjects and the competent data protection authorities. A DPO's main tasks would be to train and advise private controllers in data protection matters and to participate in the implementation of data protection regulations.

The controller may also designate an “independent” DPO who meets certain additional qualifications. In such a case, the controller has to ensure that the DPO has all necessary resources (including access to the data processing activities and personal data) to fulfil its tasks and has the right to inform the management or governing body regarding important data protection matters. Additionally, the DPO must exercise its function in a professionally independent manner and without being bound by instructions from the controller and shall not perform any activities which are incompatible with its tasks as DPO. The DPO shall also possess the required expertise. Finally, the contact details of the DPO must be published and notified to the FDPIC.

In case an “independent” DPO is appointed, the controller has no obligation to consult with the FDPIC in the event that a data protection impact assessment indicates a high risk to the personality or the fundamental rights of the data subject despite the planned measures by the controller (see Collection and processing). This is the only relief granted in case of appointing an “independent” DPO.

Last modified 6 January 2025

The PDPA does not impose a general requirement to have a data protection officer. However, there are industry specific regulations in certain industries (such financial institutions or airlines) requiring personnel to handle personal data protection matters.

Last modified 19 March 2026

Tajik law does not require to appoint any Data Protection Officer or any similar positions.

Last modified 27 January 2025

Data controllers or processors must appoint a Data Protection Officer (“DPO”). The DPO is responsible for:

ensuring controls and security measures for protection of personal data are established and fully implemented;
ensuring compliance with the PDPA and its regulations;
managing data subjects’ requests and complaints; and
submitting quarterly compliance reports to the PDPC.

Last modified 24 March 2026

Data Controllers and Data Processors are only required to appoint a data protection officer (DPO) if it qualifies as any of the following:

Is a public authority as prescribed and announced by the Regulator;
Requires regular monitoring of Personal Data or system due to the collection, use or disclosure of large amount of Personal Data as prescribed by the Regulator; or
The core activity of the Data Controller or the Data Processor involves the collection, use, or disclosure of Sensitive Personal Data.

The relevant subordinate regulation was issued on 14 September 2023. It sets out criteria of the core activities of Data Controllers and Data Processors that require ‘regular monitoring’ and indicates factors to be considered in determining a ‘large amount’ of Personal Data. For example, if the core activities consist of tracking, monitoring, analysing, or profiling of personal behaviour or characteristics, and generally involve the processing of Personal Data in a systematic manner and on a regular basis, such core activities require ‘regular monitoring’. If the processing of Personal Data is of 100,000 data subjects or more, or for behavioural advertising purpose via search engine or social media, or by insurance company, financial institution, or licensed telecommunications operator, such processing is considered the processing of ‘large amount’ of Personal Data.

Last modified 14 February 2026

None.

Last modified 15 February 2022

There is no such requirement under the DPA.

Last modified 26 January 2023

Under Tunisian law (Law n° 2004-63 dated July 27, 2004), there is no reference to Data Protection Officers.

Nevertheless, with regard to health data protection, Decision No. 4 of September 5, 2018 organizing personal health data, healthcare establishments must appoint a DPO.

For other types of sensitive personal data, it is preferable that each entity that processes personal data provides data subjects with an address of its DPO through which they can exercise their right of access to data and their right of opposition to their data processing.

Last modified 12 February 2026

There is not yet a requirement in Turkey to appoint a data protection officer in the sense of GDPR. However, there is a requirement to appoint a local Representative for foreign controllers.

Last modified 27 January 2025

No appointment of a data protection officer is required under the Data Protection Law.

Last modified 23 December 2022

Controllers and Processors must appoint a DPO where:

the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
the core activities of the Controller or the Processor consist of Processing on a large scale of special categories of Personal Data.

Last modified 9 January 2024

Data Protection Officers (“DPOs”) are mandatory for:

DIFC Bodies (as defined under the DPL, other than courts acting in their judicial capacity); and
a Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

A Controller or Processor could also be required to appoint a DPO by the Commissioner.

A Group (defined under DPL) may appoint a single DPO provided that he is easily accessible to each entity in the Group. The DPO must reside in the UAE unless he is an individual employed within the organisation's Group and performs a similar function for the Group on an international basis.

In addition, if a Controller or Processor is not required to appoint a DPO, it must still clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations and provide details to the Commissioner (i.e. the person appointed, pursuant to the DPL, to monitor, ensure and enforce compliance with the DPL).

(Article 16 DPL)

Last modified 27 January 2025

There is a requirement for each Licensee, to have one or more Data Protection Officers (DPO). The responsibilities of the Data Protection Officers include:

the encouragement of compliance by the Licensee with the HDPR;
dealing with requests made to the Licensee under the HDPR; and
otherwise ensuring compliance by the Licensee with the provisions of the HDPR (section 40 HDPR).

Last modified 27 January 2025

Processors and Controllers who are:

conducting data processing which would cause a high risk to the confidentiality and privacy of the Data Subject’s personal data as a consequence of adopting new or data size-based technologies;
conducting data processing will involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing; or
processing large volumes of sensitive personal data will be processed,

will need to appoint a DPO.

The DPO can be a staff member or someone working on a service contract and does not necessarily need to be located in the UAE.

Last modified 27 January 2025

Every entity whose activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or whose activities consist of processing special personal data, is required to designate a personal data protection officer charged with ensuring compliance with the data protection law. There is no criteria for appointment of the data protection officers provided by the Act or Regulations.

Under Regulation 47 of the Data Protection and Privacy Regulations, the Personal Data Protection Office is required to specify the persons, institutions, and public bodies required to designate a data protection officer. This publication is yet to be released by the Office.

Last modified 13 February 2026

Data owners and processors processing personal data that is of particular risk to the rights and freedoms of personal data subjects, must establish a special department or appoint a responsible person (data protection officer) to be responsible for the personal data processing matters. Other owners and processors may either establish a department or appoint a responsible person on a voluntary basis.

There are no requirements for the data protection officer to be a citizen or a resident in Ukraine. However, if he or she is a foreign citizen under the general rule, a work permit must be obtained for him or her to hold such a position. There are no particular penalties for the incorrect appointment of Data Protection Officer.

Last modified 27 January 2025

Under the UK GDPR, each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.

DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices, though it is possible to outsource the DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data" (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article 38(3)).

The specific tasks of the DPO, set out in the UK GDPR, include (Article 39):

to inform and advise on compliance with the UK GDPR and other UK data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.

Last modified 24 February 2026

With the exception of entities regulated by HIPAA, there is no general requirement to appoint a formal data security officer or data privacy officer.

Massachusetts and some other state laws and federal regulations, including the recently updated FTC Safeguards Rule (applicable to non-banking financial institutions), require organizations to appoint one or more employees to maintain their information security program.

Last modified 31 March 2026

While Uruguay's data protection law does not establish a general obligation for all organizations to appoint a Data Protection Officer (DPO), Decree No. 64/020 introduced specific cases in which the designation of a DPO is required. In particular, entities whose core activities involve the large-scale processing of personal data, especially sensitive data, or those that carry out systematic monitoring of individuals, must appoint a Data Protection Officer. The DPO is responsible for advising the organization on compliance with Law No. 18,331, monitoring the implementation of data protection policies, and acting as a point of contact with the Regulatory and Control Unit of Personal Data ('URCDP').

Last modified 6 March 2026

According to the Law on Personal Data, government bodies, legal entities and individuals processing personal data (i.e. operators of personal data) or having the right to use and dispose personal data (i.e. owners of personal data) must designate a structural unit or a responsible person that has to organize work with respect to personal data protection in the course of its processing in accordance with the Model Rules on Processing of Personal Data, registered with the Ministry of Justice under No. 3477 on November 15, 2023.

Last modified 27 January 2025

There is no legal requirement to appoint a Data Protection Officer.

Last modified 12 December 2022

Agencies and organizations must:

establish an internal Data Protection Department (“DPD”) and/or
appoint a Data Protection Officer (“DPO”) with adequate capacity or hire an external personal data protection service providers to handle personal data protection obligations of the organizations.

Information on such a DPD and/or DPO (or the external DPO service providers (if any)) must be declared in the DPIA and the TIA dossiers submitted to the authority.

The Decree 356 sets out specific qualifications of the person eligible to be appointed as a DPO or a member of DPD.

The appointment of a DPD / DPO must be made in the form of a written decision made by the company (i.e. a board resolution or a letter of appointment signed by the company's legal representative and affixed with the stamp of the company) and a copy of this written decision is required to be submitted alongside the DPIA / TIA dossiers. Where the organizations hires an external DPO, corresponding service contracts must be executed and submitted together with the DPIA / TIA dossiers.

Last modified 15 February 2026

Data controllers and data processors are required to appoint a data protection officer in line with the guidelines issued by the Data Protection Commissioner.

Last modified 27 January 2025

Data controllers are required to appoint a data protection officer ("DPO") and notify the Authority in writing using Form DP2.

The Authority must also be notified of any changes to the DPO's contact information, dismissal, or resignation.

DPOs must have the following qualifications:

Skill, qualifications, or experience in data science, data analytics, information security systems, information systems audit, law, audit, or any other relevant qualification;
Knowledge of national data protection laws and practices;
Understanding of the data controller’s business operations and processing activities;
Certification through a course approved by the Authority DPOs have the following duties:
- Monitoring compliance with the Act, the Regulations, and organizational data protection policies;
- Managing internal data protection activities;
- Raising awareness of data protection;
- Training staff on data protection;
- Conducting internal data protection compliance audits;
- Dealing with requests from the Authority and data subjects;
- Advising employees on their data protection obligations;
- Advising on and monitoring data protection impact assessments;
- Working with the Authority; and
- Acting as the contact point for data subjects.

Last modified 20 March 2026

Quick links

Data Protection in Albania

Data protection officers

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

Duties and position of the DPO (Article 34)

National Ordinance Person Registration

GDPR

EU regulation

Austria regulation

For Natural Persons

For Legal Persons

EU regulation

Belgium regulation

Footnotes

Personal Data Protection Act BES

GDPR

EU regulation

Bulgaria regulation

Obligation to designate a CPDCP

Qualifications required for the CPDCP

Duties of the CPDCP

Other important elements

EU regulation

Croatia regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Denmark regulation

EU regulation

Estonia regulation

EU regulation

Finland regulation

EU regulation

France regulation

EU regulation

Germany regulation

EU regulation

Greece regulation

EU regulation

Iceland regulation

EU regulation

Ireland regulation

EU regulation

Latvia regulation

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation

Role of DPO

EU regulation

Netherlands regulation

EU regulation

Norway regulation

EU regulation

Poland regulation

EU regulation

Portugal regulation

EU regulation

Romania regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Slovak Republic regulation

EU regulation

Spain regulation

EU regulation

Sweden regulation

Continue reading