Data Protection Officer is mandatory, again.
Article 35 of the latest version of GDPR states that “The controller and processor shall designate a data protection officer in any case where: […] “.
To clearly understand which controllers and processors are included in such categories, the local language versions – and perhaps some comments – are needed.
Controller and processor are now required (if this will be the final version) to address the same compliance issues.
In any case all the above confirm that the “trilogue” (Commission, Parliament and Council) is very close to define and approve the GDPR.
In the consolidated text dated Dec. 4th 2015, we find at the same article 35:
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in
their judicial capacity; or
(b) the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or their purposes, require regular and
systematic monitoring of the data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large
scale of special categories of data pursuant to Article 9 and data relating to criminal
convictions and offences referred to in Article 9a.
Welcome back DPO. At least we got rid of some unnecessary ambiguity in the regulation, although some degree of discretion is required to ease national law harmonization, I’m happy the DPO is mandatory again.