Contact
If you process personal data, you will need to appoint a person to act as a data protection officer in the following cases:
- If you are a public authority or body (other than courts and tribunals).
- If the processing requires the regular and systematic observation of data subjects on a large scale.
- If the purpose of the processing is special categories of personal data (health, ideology, religion, etc.) or data relating to convictions or criminal offences.
It is also necessary to appoint a DPO in the cases indicated in Art. 34 of the LOPDGGD.
You must communicate their contact details to the APDCAT, through the corresponding procedure available at the e-site, or at the competent control authority.
You must bear in mind that the DPO must have autonomy in the exercise of their functions; they must be a member of upper management and be provided with all the necessary resources to carry out their activity.
Requirements and qualifications
When appointing a DPO, you should consider their professional qualifications and, in particular, their knowledge of data protection law and practice. No specific qualification is required, but knowledge of law is required. It is also necessary to have knowledge outside the strictly legal field, such as for example in the field of technology applied to data processing or in relation to the field of activity of the organisation in which they carries out their work.
The person can prove compliance with the qualification requirements provided for in the GDPR through voluntary certification mechanisms, which will take into account, in particular, the obtaining of a university degree that accredits knowledge in law and practice in the field of data protection. However, they can also be accredited in other ways.