Article 30*

Article 30 – Designation of the data protection officer

1. Member States shall provide that the controller or the processor designates a data protection officer.

2. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 32.

3. The data protection officer may be designated for several entities, taking account of the organisational structure of the competent authority.

EDRi’s proposed amendment

1. Member States shall provide that the controller or the processor designates a data protection officer.

2. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 32. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

3. The data protection officer may be designated for several entities, taking account of the organisational structure of the competent authority.3a. Member States shall provide for rules regarding conflicts of interests of the data protection officer.

3b. The data protection officer shall be appointed for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed,if the data protection officer no longer fulfils the conditions required for the performance of their duties.

3c. Member States shall provide that the controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.

3d. Member States shall provide that data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.

Justification

Having a minimum term of two years contributes to stability. Conflicts of interest should be avoided at all costs. These changes reflect recommendations of the EDPS (pt. 406 of his opinion). In general, the rules should be aligned with those foreseen under Article 35 of the proposed General Data Protection Regulation.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: