The Regulation introduces the concept of the data protection officer (DPO), who may be a member of staff of the controller or processor or may fulfil the tasks on the basis of a service contract. A data protection officer must be designated in the following cases:
- where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity). In this case, a single data protection officer may be designated for several such authorities or bodies;
- where the processing operations require regular and systematic monitoring of data subjects on a large scale;
- where the operations consist of processing special categories of data or personal data relating to criminal convictions and offences.
Once designated, organisations within the scope of action of the APDCAT must communicate details of the DPO to that Authority and keep it updated of any change in those details.
For further information about how to communicate designation of the DPO to the APDCAT, please use this link (Catalan version available).