A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its: purposes, interconnections, types, categories of data subjects, length of retention and the department(s) in charge of implementing processing. DPOs may be required by law or recommended.
The European General Data Protection Regulation requires that data controllers and data processors designate a DPO in any case where:
A DPO is not mandatory for every organization but is highly recommended.
Under Finland’s Act on the Protection of Privacy in Working Life (759/2004), employers are expected to nominate individuals or specify tasks that involve processing employee health-related information. Data relating to an employee’s state of health can only be processed by individuals “who prepare, make or implement decisions concerning employment relationships on the basis of such information” (Sec. 5, 2).