The European Regulation on Privacy published on May 4^th 2016, that will enter into force on May 18^th 2018, has officially introduced the role of Data Protection Officer (‘’DPO’’) as a part of its general data protection regulations.

The Data Protection officer is an individual that oversees and evaluates the data protection activities within a company, and makes sure that the same are done in compliance with the UE regulations on privacy as well as the national provisions

Data protection officer is one of the key requirements for all the companies doing business within the European Union and collecting data as a result of such work.

Under art. 35 of the regulation, the DPO is appointed when: the processing is carried out by a public authority (except for courts acting in their judicial capacity); the core activities of the company consist of processing operations which, by their nature, scope or purposes require regular and systematic monitoring of subjects’ data on a large scale; the core activities of the company consist of processing on a large scale special categories of data relating to criminal convictions and offences.

Furthermore, the DPO is designated on the basis of professional qualities and expert knowledge of data protection law and practises. Additionally, the DPO needs to be able to effectively share his knowledge and fulfil the tasks determined by art. 37 of the regulation. The company may appoint one of its own employees as a DPO, as long as his/her professional duties and new duties as a DP, do not result in a conflict of interest.

The company needs to involve the DPO, in timely manner, with all the issues related to the protection of personal data, provide him with necessary resources to carry out the tasks given by art. 37, as well as access to personal data and processing operations.

The tasks of DPO pursuant to art. 37 of this regulation include: to inform and advise the company and the employees who are processing personal data of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this regulation, with other Union or Member State data protection provisions and with the policies of the company connected to protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations, and related audits; provide advice where requested regarding the data protection impact assessment and monitor its performance; cooperate with the supervisory authority; act as the contact person for relations with the supervisory authority on issues related to processing of personal data, including consultation, when appropriate, on any matter.

The DPO reports to the highest management level of the company or the organization, but has to complete these tasks in independent manner, meaning he can’t be given instructions on how to exercise them, and he can’t be fired or penalised for doing so. While performing these tasks, in addition to being bounded by the secrecy or confidentiality concerning the performance, he has to consider the risks related to the processing operations, taking into account the nature, scope, context and purposes of the processing.

The DPO is hired for a period of at least two years, and he can only be dismissed if he cannot fulfil his duties.

One single DPO can be hired for a group of companies, as long as he is easily reachable from each establishment.

In conclusion, the role of DPO is essential, because, in addition to monitoring, notifying and communicating any data breaches, can help ensure a steady application of rules for companies and public authorities.