What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Employers may be required to appoint a Data Protection Officer, depending on the company’s data processing operations. Under the Serbian Data Protection Law (2018), companies must appoint a Data Protection Officer when:
- by nature, scope or purpose, the company’s core activities require large-scale, systematic and regular monitoring of data subjects; or,
- a company’s core activities consist of processing special categories of personal data and data relating to criminal convictions/offences on a large-scale.