Which institutions/enterprises must appoint a personal data protection officer?

A personal data protection officer (DPO) should be present at all institutions, ministries and municipalities as well as certain companies that work with a lot of personal data or monitor individuals online, for example to create a personal profile for them.

The appointment of a data protection officer is compulsory when:

• the processing is carried out by the government or municipality (regardless of the personal data processed).

• The main activity of the controller or processor is related to processing operations, which involve extensive, regular and systematic monitoring of individuals.

• The main activity of controllers or processors is extensive processing of sensitive personal data or personal data relating to criminal convictions and criminal offences.

It is desirable that companies that carry out tasks performed in the public interest designate personal data protection officers, although they are not considered to be governmental, and companies that are majority owned by the state designate such officers.

Companies that do not carry out these activities are nevertheless free to appoint a personal data protection officer, but it should be kept in mind that they must have the same requirements as those that are required when it is mandatory to appoint a representative.

When a personal data protection officer has been appointed by the company or the government, the controller must notify the Data Protection Authority with information on his name, e-mail address and telephone number.