Data Protection Act 2018

88

Data protection officer

88. (1) A controller, other than—

(a) a court, or

(b) another independent judicial authority,

acting in its judicial capacity, shall, subject to subsections (2) and (3), appoint a person to carry out the functions specified in subsection (5) in respect of the controller (in this Part referred to as a “data protection officer”).

(2) Two or more controllers may, subject to subsection (3), having regard to their organisational structure and size, appoint a single data protection officer to carry out the functions specified in subsection (5) in respect of each of the controllers.

(3) A controller, when appointing a data protection officer, shall do so on the basis of—

(a) the person’s expert knowledge of the law and the practice relating to the protection of personal data, and

(b) his or her ability to carry out the functions specified in subsection (5).

(4) Where a controller appoints a data protection officer, the controller shall—

(a) publish or cause to be published the contact details of the data protection officer,

(b) inform the Commission of the appointment of the data protection officer and provide the Commission with his or her contact details,

(c) ensure that the data protection officer—

(i) reports directly, in relation to his or her functions under subsection (5), to the highest level of management of the controller,

(ii) does not receive any instructions regarding the exercise of such functions, and

(iii) is involved in an appropriate and timely manner in all matters relating to the protection of personal data, and

(d) support the data protection officer in performing his or her functions under subsection (5), including by—

(i) providing him or her with the resources that he or she requires to perform those functions,

(ii) ensuring that he or she has access to processing operations carried out by the controller, and

(iii) assisting him or her to maintain his or her expert knowledge in the law and practice relating to the protection of personal data.

(5) The functions of a data protection officer shall include the following:

(a) informing and advising the controller, and the employees of the controller who carry out processing, of their obligations under this Part and under any other law of the European Union or law of the State that relates to the protection of personal data;

(b) monitoring the compliance of the controller with—

(i) this Part,

(ii) any other law of the European Union or law of the State that relates to the protection of personal data, and

(iii) the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities in the controller in relation to the protection of personal data, the raising of awareness and the training of staff involved in processing operations in that regard, and any audit activity related to the protection of personal data;

(c) providing advice, where requested to do so, in relation to the carrying out of a data protection impact assessment in accordance with section 84 and monitoring any steps taken on foot of that assessment;

(d) acting as the contact point for data subjects with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Part;

(e) cooperating with the Commission and acting as a contact point for the Commission for issues related to processing carried out by the controller, including consultation by the controller with the Commission under section 84.