What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Data controllers (such as employers) with a physical presence in Russia must appoint a DPO who is responsible for the company’s personal data processing practices. DPOs are responsible for:
- ensuring that the employer and employees comply with Russia’s data protection laws and personal data processing laws;
- informing employees about data protection laws and ensuring they are aware of the company’s internal policies; and,
- ensuring requests submitted by data subjects (such as employees and job applicants) to exercise their personal data processing rights is duly considered (for example, the right to access their personal data).