A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Employers (and other information controllers and processors) must designate a DPO who is accountable for compliance with the Data Privacy Act and associated rules and regulations relating to privacy and data protection. The DPO’s responsibilities include:
Note that with the National Privacy Commission’s approval, a group of related companies can appoint/designate a DPO to be primarily accountable for ensuring data protection compliance across the entire group. In this case, each company would still need to have a Compliance Officer for Privacy (COP).
A DPO or COP’s contact details must be accessible to concerned parties and must be published on the company’s website and included in privacy notices, privacy policies and privacy guides. The contact details should include the title/designation, postal address, dedicated phone number, and dedicated email address. The individual’s name does not need to be published, but should be available if requested (NPC Advisory No. 2017-01 – Designation of Data Protection Officers).