What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Employers (and other information controllers and processors) must designate a DPO who is accountable for compliance with the Data Privacy Act and associated rules and regulations relating to privacy and data protection. The DPO’s responsibilities include:
- monitoring compliance with the DPA and its implementing rules and related regulations;
- ensuring the conduct of Privacy Impact Assessments;
- advising the employer regarding complaints and/or the exercise by data subjects of their rights;
- ensuring proper data breach and security incident management;
- cultivating awareness on privacy and data protection;
- advocating for the development, review and revision of data privacy guidelines; and,
- serving as the employer’s contact person.
Note that with the National Privacy Commission’s approval, a group of related companies can appoint/designate a DPO to be primarily accountable for ensuring data protection compliance across the entire group. In this case, each company would still need to have a Compliance Officer for Privacy (COP).
A DPO or COP’s contact details must be accessible to concerned parties and must be published on the company’s website and included in privacy notices, privacy policies and privacy guides. The contact details should include the title/designation, postal address, dedicated phone number, and dedicated email address. The individual’s name does not need to be published, but should be available if requested (NPC Advisory No. 2017-01 – Designation of Data Protection Officers).