What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its: purposes, interconnections, types, categories of data subjects, length of retention and the department(s) in charge of implementing processing. DPOs may be required by law or recommended.
The European General Data Protection Regulation requires that data controllers and data processors designate a DPO in any case where:
- the processing of personal data is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing, on a large scale, special categories of data and personal data relating to criminal convictions and offences.
Greece’s GDPR implementing legislation (L. 4624/2019, Art. 62) places certain responsibilities on Data Protection Officers and the Data Controller (such as the employer in the context of employment) including technical and organizational measures to ensure a level of security appropriate to the risk when processing personal data. These include:
- equipment access control;
- storage control;
- verification of users;
- data access control;
- communication control;
- data input control;
- control of data transmission; and/or
- provision of organizational or spatial separation of data.
A DPO is not mandatory for every organization but is highly recommended.