Data Protection
Posted on February 6, 2026
Written by Nick Bundevski
Data Protection Officer – Requirements by Country
Overview
Many privacy and data protection laws worldwide require organisations to appoint a Data Protection Officer (DPO) or an equivalent role, such as a Privacy Officer, to ensure compliance with legal requirements in practice and to maintain accountability for compliance.
This overview outlines key global requirements, references relevant legislation, and provides a summary of the types of organisations covered under each law.
It explains how the DPO role should be structured within an organisation, the core responsibilities and expected qualifications of the role, and whether there is an obligation to notify the relevant supervisory authority or make the DPO’s contact details publicly available.
About GDPRLocal
GDPRLocal is a dynamic, forward-thinking, professional Data Protection Consultancy, providing expert advice and guidance on all data protection and AI matters, across all frameworks and territories.
From our initial support for GDPR Article 27 Representative services, we have expanded our team to offer support for all frameworks, including CCPA, ISO27001, SOC2, HIPAA, and I Regulation. This unique capability ensures you can comply with all data protection regulations, regardless of what you do or where you operate.
Our team is our strength. Comprising highly qualified Data Protection Officers, each member brings a wealth of knowledge and experience to the table. All our officers have a legal background, which equips them with the necessary skills to operate in the complex landscape of data protection.
The Role of a Data Protection Officer
A Data Protection Officer (DPO) is an individual appointed by an organization to ensure compliance with the data protection laws and regulations. This role acts as a point of contact between the organisation, data subjects, and regulatory authorities.
The role of DPO is defined in Articles 37, 38, and 39 of the GDPR.
Unlike previous data protection roles, the GDPR DPO has a clearer legal mandate, a defined function, and a license to operate. They are responsible for overseeing data protection activities within an organisation and ensuring compliance with the GDPR.
The GDPR DPO can be an internal employee or an external appointment. Regardless of their arrangement, they must possess expert knowledge of data protection and act independently to avoid conflicts of interest.
DPO Requirements by Country
| Australia | |
|---|---|
| Legal Instrument |
Privacy (Australian Government Agencies – Governance) APP Code 2017 |
| Scope |
• Government agencies, except ministers, must appoint a privacy officer.
• An agency may have one or more privacy officers.
• The privacy officer may serve as the required privacy champion, which must be a senior official within the agency, or the two positions may be separate.
|
| Tasks |
• Provide advice on privacy matters
• Handle privacy inquiries, complaints and requests related to personal information
• Maintain a record of the agency’s PI holdings
• Assist with privacy impact assessments and maintain the agency’s register of such assessments
• Assess the agency’s performance against the privacy management plan at least annually
|
| Training or expertise |
The Office of the Australian Information Commissioner’s “Privacy Officer Toolkit” describes useful skills and expertise and offers resources for privacy officers. |
| Albania | |
|---|---|
| Legal Instrument |
Law no. 124/2024 (On Personal Data Protection) – Articles 33-34 |
| Scope |
The following entities must designate a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing sensitive data/criminal records on a large scale
Groups of companies can have the same DPO so long as each member can easily access the officer.
|
| Tasks |
• Provide advice on data protection issues
• Assist with impact assessment activities required by the law
• Advise on awareness-raising and training of staff that engage in data processing
• Monitor compliance with the law
• Communicate with the Commissioner for the Right to Information and Personal Data Protection
• Pay due attention to the risk of infringement of fundamental rights and freedoms that could result from data processing
|
| Training or expertise |
• The DPO must have professional qualities, including knowledge of data protection laws/practices.
• Training is provided by the Albanian School of Public Administration or higher education institutions/professional organizations that specialize in personal data protection.
|
| Algeria | |
|---|---|
| Legal Instrument |
Law No. 18-07 of 28 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data |
| Scope |
The amending law (No. 11-25) mandates that all data controllers appoint DPOs.
Courts are exempt.
|
| Tasks |
• Ensure that personal data is protected against destruction, loss, alteration and unauthorized access.
• Assist with data protection impact assessments as required by law for high-risk processing
• Coordinate and communicate with the National Authority
|
| Training or expertise |
|
| Andorra | |
|---|---|
| Legal Instrument |
Law 29/2021, of October 28, on the Protection of Personal Data – Article 38 |
| Scope |
The following entities must appoint a DPO:
• Public authorities, except courts
• Companies or organizations that process personal data, including automated processing that may have legal effects for natural persons; special categories of data on a large scale; or “a considerable amount of personal data of a national or supranational scope”
Groups of companies can have the same DPO so long as each member can easily access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise covered entities about the law
• Monitor policies related to data protection
• Raise awareness and train staff
• Provide advice related to impact assessments and ensure implementation
• Communicate with the supervisory authority
|
| Training or expertise |
The DPO must have professional qualities, knowledge of the law and practice in data protection matters. |
| Aland Islands | |
|---|---|
| Legal Instrument |
General Data Protection Regulation Article 37-39 |
| Scope |
The following entities must appoint a DPO:
• Public authorities or bodies processing data, except courts
• Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data
• Where required by EU member state law
DPO may be a staff member or contractor.
They must be resourced to carry out tasks and maintain expertise and report to highest management level.
The DPO must not receive instructions or dismissal with regard to their tasks.
They are bound by confidentiality.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance
• Advise the organization on data protection impact assessments
• Cooperate and communicate with the DPA and individuals
|
| Training or expertise |
The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| Barbados | |
|---|---|
| Legal Instrument |
Data Protection Act, 2019-29 – Section 67-69 |
| Scope |
The following entities must appoint a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing sensitive data on a large scale
Groups of companies can have the same DPO so long as each member can easily access the officer.
Multiple public authorities can also rely on one DPO.
DPOs may be staff members or contractors.
|
| Tasks |
• Advise controllers and processors about their legal obligations under the data privacy law
• Monitor compliance with the law and with the controller’s policies
• Assist with the data protection impact assessments as requested and monitor performance
• Cooperate and coordinate with the Data Protection Commissioner
|
| Training or expertise |
The DPO must have professional qualities, including expert knowledge of data protection law. |
| Belize | |
|---|---|
| Legal Instrument |
Data Protection Act, 2021 – Articles 65-67 |
| Scope |
The following entities must designate a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing sensitive data on a large scale
The DPO may be a staff member or contractor.
Groups of companies can have the same DPO so long as each member can easily access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor compliance with the law and with the controller’s policies
• Assist with the data protection impact assessments as requested and monitor performance
• Cooperate and coordinate with the commissioner
|
| Training or expertise |
The DPO must have professional qualities, including expert knowledge of data protection law and practices. |
| Belarus | |
|---|---|
| Legal Instrument |
The Belarus Data Protection Act, Article 17 |
| Scope | All operators, which includes public authorities, “legal person[s] of the Republic of Belarus,” and other organizations that process personal data, must appoint a DPO. |
| Tasks | Operators must appoint a DPO or establish a structural unit to comply with the law. |
| Benin | |
|---|---|
| Legal Instrument |
Digital Code – Article 430 |
| Scope |
The following entities must appoint a DPO:
• Public organizations
• Controllers and processors whose core activities require monitoring subjects or processing sensitive data on a large scale
|
| Tasks | Entities that have a DPO are exempt from notifying the APDP of data processing under Article 480. |
| Bermuda | |
|---|---|
| Legal Instrument |
Personal Information Protection Act 2016 – Article 5 |
| Scope |
• Organizations, which include public and private entities that use personal information, must designate a privacy officer.
• Organizations can share a privacy officer if they are under common ownership or control.
• The privacy officer can then “delegate his duties” to others.
|
| Tasks |
• Take responsibility for compliance with the act
• Communicate with the commissioner
|
| Brazil | |
|---|---|
| Legal Instrument |
Brazilian General Data Protection Law, Article 14 |
| Scope | Controllers must appoint a DPO. |
| Tasks |
• Receive and respond to complaints
• Communicate with the DPA
• Educate staff and contractors on personal data protection practices
• Conduct other duties as prescribed by controller or set forth in DPA rules
|
| Cabo Verde | |
|---|---|
| Legal Instrument |
Law 133/V2001 on the Protection of Personal Data |
| Scope |
The following entities must appoint a DPO:
• Public bodies, except courts
• Controllers or processors whose core activities require systematic/regular monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing special categories of data on a large scale or data involving criminal convictions and offenses
|
| Canada | |
|---|---|
| Legal Instrument |
The Personal Information Protection and Electronic Documents Act (PIPEDA) |
| Scope |
• Organizations must designate an accountable individual.
• Organizations include an association, partnership, person and trade union; the law applies to the personal information that they collect, use or disclose in the course of commercial activities.
• The organization can delegate multiple accountable individuals.
• Other individuals may act on behalf of the designated individual.
|
| Tasks |
• Oversee and be accountable for the organization’s compliance with the act’s principles
• Handle complaints or inquiries from individuals
|
| China | |
|---|---|
| Legal Instrument |
|
| Scope | Entities that process personal information of more than 1 million individuals must appoint a DPO. |
| Tasks |
• Take personal responsibility for supervising personal information handling activities
• Ensure total compliance with the PIPL
• Facilitate compliance audits as required by the PIPL
|
| Training or expertise |
The DPO must have professional qualifications related to personal information protection laws. |
| Colombia | |
|---|---|
| Legal Instrument |
Law 1581 of 2012
|
| Scope | Controllers and processors must designate a person or area to perform data protection functions. |
| Tasks |
• Take responsibility for the personal data protection program
• Handle data subjects’ requests
|
| Cote D’Ivoire | |
|---|---|
| Legal Instrument |
Law 2013-450 on the Protection of Personal Data |
| Scope | DPOs are not required, but certain obligations are waived if the person responsible for the processing of information designates a correspondent for the protection of personal data |
| Tasks | Take responsibility for managing documents related to the processing of personal data so that they are available for individuals upon request |
| Training or expertise |
• The requirements for correspondents differ depending on whether the individual is a “natural person” or a legal person.
• Requirements generally include status under Ivorian law, education and experience in the field, other skills and qualifications, a clean criminal record and employment as a staff member who meets certain criteria.
|
| Ecuador | |
|---|---|
| Legal Instrument |
Ley Organica de Proteccion de Datos Personales (Personal Data Protection Law) |
| Scope |
The following must appoint a DPO:
• Public authorities
• Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing on a large scale of special categories of data
Multiple entities can have the same DPO so long as there is no conflict of interest.
The officer must report to the highest management level and cannot be disciplined or fired for performing their functions.
|
| Tasks |
• Advise controllers and processors on compliance with data protection law
• Monitor compliance with the law and internal policies
• Assist with data protection impact assessments where requested
• Communicate and cooperate with the Superintendence of Data Protection
|
| Training or expertise |
|
| Egypt | |
|---|---|
| Legal Instrument |
Personal Data Protection Law Articles 8-9 |
| Scope | The legal representative of any controller or processor must appoint a DPO for that legal entity. |
| Tasks |
• Take charge of application of the law
• Monitor compliance and procedures
• Receive and respond to data subjects’ requests
• Evaluate personal data protection systems, document results and issue recommendations
• Maintain personal data records
• Take corrective actions for violations
• Train staff
• Implement security procedures
• Liaise with the DPA, notify DPA of infringements and implement decisions
|
| Training or expertise |
The DPO must be a competent employee of the entity. |
| EU and EEA Member States | |
|---|---|
| Legal Instrument |
General Data Protection Regulation |
| Scope |
The following entities must appoint a DPO:
• Public authority or body processing data, except courts
• Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data
• Where required by EU member state law
The DPO can be a staff member or contractor.
They must be resourced to carry out tasks and maintain expertise.
The DPO must report to highest management level.
The DPO must not receive instructions or dismissal with regard to their tasks.
They are bound by confidentiality.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance
• Advise organization on data protection impact assessments
• Cooperate with the DPA
• Serve as contact for individuals and the DPA
|
| Training or expertise |
The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| Faroe Islands | |
|---|---|
| Legal Instrument |
Act on the Protection of Personal Data (Data protection Act) Act no. 80 of June 7, 2020, Articles 53-58 |
| Scope |
The following entities must designate a DPO:
• Public authorities
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing sensitive data on a large scale
Multiple companies can have the same DPO so long as each member can access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor compliance with data protection laws/provisions
• Assist with the data protection impact assessment as requested and monitor performance
• Cooperate and coordinate with the DPA
|
| Training or expertise |
The DPO must have professional qualities, including expert knowledge of data protection law and practices. |
| Gabon | |
|---|---|
| Legal Instrument |
Law No. 025/2023 of 09/07/2023 amending Law No. 001/2011 of September 25, 2011 on the Protection of Personal Data |
| Scope |
The following entities must designate a DPO:
• Public bodies, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing special categories of data on a large scale or data involving criminal convictions and offences
|
| Tasks |
• Advise on compliance with the data protection law and monitor for compliance
• Assist with data protection impact assessments
• Cooperate with the DPA
|
| Training or expertise |
The DPO must be qualified based on knowledge of the law and data protection. |
| Georgia | |
|---|---|
| Legal Instrument |
Law of Georgia on Personal Data Protection – Article 33 |
| Scope |
Controllers/processors that process data or monitor behavior on a large scale must designate a DPO, as well as the following specific entities:
• Public institutions
• Insurance organizations
• Commercial banks
• Micro-finance organizations
• Credit bureaus
• Electronic communication companies
• Airlines/airports
• Medical institutions
The DPO may be an employee or contractor; they may be permitted to hold other positions so long as there is no conflict of interest.
|
| Tasks |
• Advise controllers and processors on data protection
• Help develop internal regulations and assist with data protection impact assessments as required
• Handle applications and requests related to data processing
• Coordinate and communicate with the Personal Data Protection Service
• Provide individuals with their data processing rights as requeste
|
| Training or expertise |
The DPO must have appropriate knowledge of data protection. |
| Ghana | |
|---|---|
| Legal Instrument |
Data Protection Act Section 58 |
| Scope |
• Data controllers may appoint a data protection supervisor.
• The supervisor may be an employee.
|
| Tasks | Monitor compliance with the act |
| Training or expertise |
The DPO must be certified and qualified; specified by the commission. |
| Gibraltar | |
|---|---|
| Legal Instrument |
Data Protection Act 2004 – Articles 78-80 |
| Scope |
• Any controller, unless it is a court or other judicial authority
• Multiple controllers can have the same DPO.
|
| Tasks |
• Advise controllers and processors on their legal obligations
• Assist with data protection impact assessments required by law
• Cooperate and coordinate with the commissioner
• Monitor compliance with the internal policies of the controller and the data protection law
|
| Training or expertise |
The DPO must have expert knowledge of data protection law and practices and the ability to perform the required tasks. |
| Guernsey | |
|---|---|
| Legal Instrument |
The Data Protection (Bailiwick of Guernsey) Law, 2017 – Part VIII |
| Scope |
The following entities must designate a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require/involve monitoring data subjects systematically or on a large scale
• Controllers or processors whose core activities involve processing special category data on a large scale
Other controllers or processors may voluntarily designate a DPO.
Multiple public authorities can rely on a single DPO.
Multiple controllers and processors can also have the same DPO so long as each member can access the officer and the DPO’s time is adequately divided among members.
|
| Tasks |
• Advise on the legal duties of the controller/processor as it relates to data protection
• Monitor compliance with all relevant data protection laws as well as the policies of the entity
• Advise on data protection impact assessments as requested
• Communicate and coordinate with the DPA
|
| Training or expertise |
DPOs must have professional skills, knowledge and abilities. |
| India | |
|---|---|
| Legal Instrument |
Digital Personal Data Protection Act |
| Scope |
• Significant data fiduciaries – those designated by the government based on factors such as the volume and sensitivity of data processed and the risk to individuals/the state – must appoint a DPO.
• The DPO must be based in India.
|
| Tasks |
• Represent the covered entity as it relates to the Digital Personal Data Protection Act
• Be the point of contact for the governing body and for individuals using the “grievance redressal mechanism”
|
| Training or expertise |
DPOs must have professional skills, knowledge and abilities. |
| Isle of Man | |
|---|---|
| Legal Instrument |
General Data Protection Regulation (Articles 37-39) |
| Scope |
The following entities must appoint a DPO:
• Public authorities or bodies that process data, except courts
• Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data
• Where required by EU member state law
The DPO may be a staff member or contractor.
They must be resourced to conduct tasks and maintain expertise.
The DPO must report to highest management level.
The DPO must not receive instructions or dismissal with regard to their tasks.
The DPO is bound by confidentiality.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance
• Advise organization on data protection impact assessments
• Cooperate and communicate with the DPA and individuals
|
| Training or expertise |
The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| Israel | |
|---|---|
| Legal Instrument |
Protection of Privacy Regulations 5777-2017 (pursuant to Article 36 of the Protection of Privacy Law 5741-1981) |
| Scope |
The following entities must appoint a data security officer under the privacy law/regulations:
• (1) a possessor of five databases that require registration under section 8;
• (2) a public body as defined in section 23;
• (3) a bank, an insurance company, a company involved in rating or evaluating credit.
The data security officer reports to the individual who manages the database.
|
| Tasks |
• Create security procedures for the database
• Develop and implement a plan for compliance with the laws and regulations
|
| Training or expertise |
The security supervisor cannot be someone “convicted of an offense involving moral turpitude or an offense of the provisions of this Law.” |
| Jamaica | |
|---|---|
| Legal Instrument |
Data Protection Act 2020 – Article 20 |
| Scope |
The following entities must appoint a DPO:
• Public authorities
• Data controllers who process sensitive personal data or data involving criminal convictions
|
| Tasks |
• Ensure that controllers comply with data privacy standards
• Communicate and consult with the commissioner
• Correct violations of the data privacy law
• Assist data subjects in exercising their rights
|
| Training or expertise |
The DPO must be appropriately qualified and cannot have any conflicts of interest. |
| Jersey | |
|---|---|
| Legal Instrument |
Data Protection (Jersey) Law 2018 – Part 5 |
| Scope |
The following entities must appoint a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing special category data on a large scale
• Other entities as required by law
The DPO can be an employee or contractor.
A group of controllers or processors, including public authorities, can have the same DPO so long as the officer is easily accessible to data subjects, the DPA and individual controllers/processors.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor for compliance with data protection laws/provisions and internal policies, including staff training
• Assist with data protection impact assessments as requested
• Serve as the point of contact for data subjects seeking to exercise their rights under the data protection law
• Cooperate and coordinate with the DPA
|
| Training or expertise |
The DPO must be qualified with expert knowledge of data protection law and practices. |
| Jordan | |
|---|---|
| Legal Instrument |
Personal Data Protection Law No. 24 of 2023 – Article 11 |
| Scope |
The following entities must appoint a DPO:
• Controllers whose primary activity is to process personal data
• Those who process sensitive personal data, the data of “persons who lack legal capacity,” or data “that includes financial information”
• Those transferring data outside Jordan
• Other instances in which the Personal Data Protection Council decides that a controller must appoint a DPO
|
| Tasks |
• Monitor data protection processes to ensure compliance with data privacy laws and regulations
• Facilitate “a regular evaluation and examination for the Data Bases systems, the Data Processing Systems and the Systems for the protection of security and integrity and protection of the Data” and implement recommendations as a result
• Coordinate and communicate with the relevant authorities
• Coordinate data access requests and allow data subjects to exercise their rights under the data protection law
|
| Training or expertise |
|
| Kazakhstan | |
|---|---|
| Legal Instrument |
No 94-V (On Personal Data and Their Protection) – Article 25 |
| Scope | Owners and operators who are legal entities must appoint a person responsible for organizing the processing of personal data, unless the processing is part of court proceedings. |
| Tasks |
• “Exercise internal control over the observance by the owner and/or operator” to ensure that they are complying with the data protection law
• Explain the legal requirements imposed by the law
• Coordinate the “appeals from persons or their legal representatives”
|
| Training or expertise |
|
| Kenya | |
|---|---|
| Legal Instrument |
Data Protection Act No. 24 of 2019 – Article 24 |
| Scope |
The following entities must appoint a DPO:
• Public or private bodies, except for courts acting in their judicial capacity
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects
• Controllers or processors whose core activities involve processing sensitive personal data
The DPO can be a staff member and may have other duties so long as they do not create a conflict of interest.
Multiple public authorities can rely on a single DPO.
Multiple controllers and processors can also have the same DPO so long as each member can easily access the officer.
|
| Tasks |
• Advise on data processing requirements under the data protection law
• Ensure that the controller or processor complies with the law
• Facilitate capacity building of staff involved in data processing operations
• Assist with data protection impact assessments
• Communicate and coordinate with the Data Protection Commissioner
|
| Training or expertise |
A qualified DPO will have knowledge and technical skills in matters relating to data protection. |
| Kosovo | |
|---|---|
| Legal Instrument |
Law No. 06/L-082 on the Protection of Personal Data – Chapter X |
| Scope |
The following entities must appoint a DPO:
• Public bodies, except courts
• Controllers or processors whose core activities require systematic/regular monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing special categories of data on a large scale or data involving criminal convictions and offences
The DPO can be an employer or a contractor.
Groups of companies can have the same DPO so long as each member can access the officer.
Multiple public bodies can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Assist with data protection impact assessments as appropriate
• Cooperate and coordinate with the Information and Privacy Agency
|
| Training or expertise |
The DPO must have professional qualifications, including expertise in data protection law. |
| Macedonia | |
|---|---|
| Legal Instrument |
Law on Personal Data Protection – Articles 41-43 |
| Scope |
The following entities must designate a DPO:
• State administration bodies, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing special categories of data on a large scale or data involving criminal convictions and offences
The DPO can be an employee or contractor.
Groups of companies can have the same DPO so long as each member can easily access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor compliance with data protection laws/regulations, as well as the policies of the controller or processor
• Assist with data protection impact assessments as requested
• Cooperate and coordinate with the Personal Data Protection Agency
|
| Training or expertise |
• The DPO must have professional qualities, including expert knowledge of personal data protection law.
• The law includes additional requirements, including command of Macedonian, a record free of convictions, a certain level of education and practical skills.
|
| Malaysia | |
|---|---|
| Legal Instrument |
Personal Data Protection Act Amendment of 2024 |
| Scope | Controllers and processors must appoint one or more DPOs. |
| Tasks | Remain accountable for compliance with the data protection law |
| Mauritius | |
|---|---|
| Legal Instrument |
Data Protection Act 2017 – Section 22 (2) (e) |
| Scope | Every controller must designate an officer as part of their duties under the act. |
| Tasks | Take responsibility for data protection compliance |
| Mexico | |
|---|---|
| Legal Instrument |
Federal Law on Protection of Personal Data Held by Private Parties – Article 3 |
| Scope | All data controllers must designate a person or department responsible for data protection. |
| Tasks |
• Process requests from data subjects
• Promote data protection within the organization
|
| Montenegro | |
|---|---|
| Legal Instrument |
Personal Data Protection Law 79/08 and 70/09 |
| Scope | Controllers who establish an automatic personal data filing system must appoint a responsible person, unless they have fewer than 10 employees conducting personal data processing. |
| New Zealand | |
| Legal Instrument |
Privacy Act 2020 – Part 9, Section 201 |
| Scope |
• Agencies must appoint one or more privacy officers.
• An agency that is an individual collecting or holding personal information solely in connection with the individual’s personal/domestic affairs is exempt.
• The individual may be within or outside the agency.
|
| Tasks |
• Encourage compliance with the Information Privacy Principles
• Handle individual requests made to the agency
• Liaise with the DPA on investigations
• Ensure compliance with the act
|
| Nigeria | |
|---|---|
| Legal Instrument |
Data Protection Regulation 2019 – Section 3.1.2 |
| Scope |
• Every data controller must designate a DPO.
• The DPO must be a staff member or a contracted firm/individual.
|
| Tasks | Ensure compliance with the regulation and the controller’s data protection directives |
| Training or expertise |
DPOs and those involved in data processing must continuously participate in capacity building. |
| Panama | |
| Legal Instrument |
Law No. 81 on Personal Data Protection 2019 |
| Scope | Governmental entities and banks must appoint a DPO. |
| Philippines | |
|---|---|
| Legal Instrument |
Data Privacy Act of 2012 – Section 21(b) |
| Scope |
• Personal information controllers must designate an accountable individual.
• The organization can designate one or more individuals.
|
| Tasks | Account for the organization’s compliance with the act |
| Republic of Congo | |
| Legal Instrument |
Law 29-2019 on the Protection of Personal Data |
| Scope |
The following entities must designate a DPO:
• Public entities
• Entities that process particular data on a large scale or whose operations require regular and systematic follow-up
|
| Republic of Moldova | |
|---|---|
| Legal Instrument |
Law No. 195 of 25-07-2024 on the Protection of Personal Data – Section 4 (Articles 37-39) |
| Scope |
The following entities must designate a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose main activities include processing special categories of data on a large scale or data involving criminal convictions and offenses
The DPO can be an employee or a contractor.
Groups of companies can have the same DPO so long as each member can access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor compliance with data protection laws and the controller’s policies
• Assist with data protection impact assessments as requested
• Cooperate and coordinate with the National Centre for Personal Data Protection
|
| Training or expertise |
The DPO must have professional qualifications including specialist knowledge of and practice in the field of personal data protection. |
| Russia | |
|---|---|
| Legal Instrument |
Data Protection Act – Section 22.1.1 |
| Scope |
• Operators, which are legal entities, must appoint a DPO.
• The DPO must be accountable to the operator’s executive body.
|
| Tasks |
• Organize the processing of personal data
• Exercise internal control over compliance with personal data-related legislation
• Educate the operator and employees regarding personal data-related requirements
• Handle data subject requests
|
| Training or expertise |
|
| Rwanda | |
|---|---|
| Legal Instrument |
Law No. 058/2021 – Protection of Personal Data and Privacy Law – Article 41 |
| Scope |
The following entities must designate a DPO:
• Public bodies, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing sensitive personal data and data relating to convictions
Groups of companies can have the same DPO so long as each member can access the officer.
Multiple public authorities can also rely on one DPO.
The DPO may be a staff member or contractor.
|
| Tasks |
• Advise controllers and processors about their legal obligations
• Monitor compliance with data protection laws/regulations
• Assist with data protection impact assessments as requested
• Cooperate and coordinate with supervisory authorities
|
| Training or expertise |
The DPO must have professional qualities and expert knowledge of personal data protection. |
| San Marino | |
|---|---|
| Legal Instrument |
Law 171/2018 – Articles 38-40 |
| Scope |
The following entities must designate a DPO:
• Public authority or body processing data, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing on a large scale of special categories of data
The DPO can be a staff member or contractor.
They must be resourced to carry out tasks and maintain expertise, and report to highest management level.
The DPO must not receive instructions or be dismissed with regard to the performance of their tasks.
They are bound by confidentiality.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance with the data protection law and internal policies of the controller
• Advise organization on data protection impact assessments
• Train staff
• Cooperate with the DPA
• Serve as contact for individuals and the DPA
|
| Training or expertise |
DPOs must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| Saudi Arabia | |
|---|---|
| Legal Instrument |
|
| Scope |
The following entities must appoint a DPO:
• Public entities that process personal data on a large scale
• Controllers or processors whose core activities require regular/continuous monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing sensitive data
The DPO can be a staff member or contractor.
|
| Tasks |
• Monitor and ensure that the PDPL is implemented
• Communicate with the competent authority
• Assist with “impact assessment procedures, audit reports, and evaluations”
• Enable data subjects to exercise their rights under the PDPL
|
| Training or expertise |
|
| Serbia | |
|---|---|
| Legal Instrument |
Law of Protection of Personal Data – Articles 56-58 |
| Scope |
The following entities must implement a DPO:
• Public authorities, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities involve processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses
The DPO can be a staff member or contractor.
They must report to the head controller or processor.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor implementation of the law and regulations on protection of personal data
• Advise, when requested, on data protection impact assessment and actions taken based on assessment
• Cooperate and communicate with the commissioner and data subjects
• Maintain confidentiality of personal data
|
| Training or expertise |
The DPO must have professional knowledge, experience in the field and the ability to perform required tasks. |
| Singapore | |
|---|---|
| Legal Instrument |
Personal Data Protection Act – Section 11(3). |
| Scope |
• To comply with the law, organizations must designate individual(s) to be responsible for ensuring compliance.
• Organizations include any individual, company, association, or body of persons.
• The data protection law governs the collection, use and disclosure of personal data by organizations.
• The duties can be performed by one person or a team.
|
| Tasks | Ensure that the organization complies with the data protection law |
| Training or expertise |
DPO Competency Framework and Training Roadmap |
| South Africa | |
| Legal Instrument |
Protection of Personal Information Act – Chapter 5, Part B |
| Scope | Public and private bodies must designate an information officer, as well as any deputy information officers that are needed. |
| Tasks |
• Encourage lawful processing of personal information
• Handle individual requests
• Coordinate and communicate with regulator on investigations
• Otherwise ensure compliance with the act and perform additional duties as prescribed
|
| South Korea | |
|---|---|
| Legal Instrument |
Personal Information Protection Act – Article 31(1) |
| Scope | Personal information controllers must designate a privacy officer. |
| Tasks |
• Take charge of data processing
• Establish a data protection plan
• Survey data processing practices and improve data processing
• Address grievances with data processing
• Build controls to prevent misuse of personal data
• Educate staff about data protection
• Protect, control and manage data files
• Implement corrective measures for violations and report them to head of organization
|
| Training or expertise |
|
| Seychelles | |
|---|---|
| Legal Instrument |
Data Protection Act 2023 – Articles 45-46 |
| Scope |
The following entities must designate a DPO:
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale or
• Controllers or processors whose core activities involve processing special categories of data on a large scale
Multiple data controllers can designate the same individual as their DPO.
|
| Tasks |
• Monitor data protection processes to ensure compliance with data privacy laws
• Coordinate and communicate with the commission
• Communicate with data subjects and handle disputes
|
| Training or expertise |
A qualified DPO will have knowledge of data protection law and practice in the field. |
| Sri Lanka | |
|---|---|
| Legal Instrument |
Personal Data Protection Act No. 9 of 2022 – Article 20 |
| Scope |
The following entities must appoint a DPO:
• Ministries, government departments, or public corporations (except courts)
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects
• Controllers or processors whose core activities involve processing special categories of data
• Controllers or processors whose core activities include processing that results “in a risk of harm affecting the rights of the data subjects protected under this Act”
Groups of companies can have the same DPO so long as each member can access the officer.
Multiple public authorities can also rely on one DPO.
|
| Tasks |
• Advise controllers and processors about their legal obligations and ensure compliance with the data privacy law
• Coordinate capacity building of staff for data processing
• Assist with personal data protection impact assessments
• Cooperate with the DPA
|
| Training or expertise |
The DPO must be academically and professionally qualified, including “competency and capacity to implement strategies and mechanisms to respond to inquiries and incidents related to processing of personal data.” |
| Thailand | |
|---|---|
| Legal Instrument |
Personal Data Protection Act – Section 41-42 |
| Scope |
The following entities must designate a DPO:
• Controllers or processors that are public authorities
• Controllers or processors whose activities require regular monitoring of personal data on a large scale
• Controllers or processors whose core activities involve processing sensitive data
Affiliated controllers and processors can designate a single DPO.
The officer can be a staff member or contractor but must be provided with adequate tools, equipment and data access.
The DPO must report to the chief executive and be protected from dismissal for performing tasks.
|
| Tasks |
• Give advice with respect to compliance with the act
• Investigate data processing for compliance with the act
• Cooperate with the regulator
• Maintain confidentiality of personal data
• Other duties as assigned that do not conflict with duties under the act
|
| Training or expertise |
Regulators may prescribe qualifications related to knowledge or expertise. |
| Tanzania | |
|---|---|
| Legal Instrument |
|
| Scope | Controllers and processors must appoint a DPO. |
| Tasks |
• Ensure that processing complies with the data protection law
• Facilitate applications and complaints from data subjects
• File quarterly compliance reports to the commission
• Report violations of the Personal Data Protection Act or the Regulations
|
| Uganda | |
| Legal Instrument |
Data Protection and Privacy Act – Article 6 |
| Scope | Institutions (i.e., covered entities other than individuals or public bodies) must appoint a DPO. |
| Tasks | Ensure compliance with the act |
| Ukraine | |
|---|---|
| Legal Instrument |
Data Protection Law – Article 24(2) |
| Scope |
The following entities must appoint a DPO:
• State and local governments
• Controllers and processors that process data of particular risk to the rights and freedoms of data subjects.
• The law excludes sole traders, including doctors, attorneys, and notaries, which are personally responsible.
|
| Tasks |
• Organize the work related to personal data protection
• Inform and advise the controller or processor on observance of the legislation
• Cooperate with the Ukrainian Parliament Commissioner for Human Rights and appointed officials on compliance
|
| Training or expertise |
|
| United Arab Emirates (Abu Dhabi) | |
|---|---|
| Legal Instrument |
ADGM Data Protection Regulations – Articles 35-37 |
| Scope |
Controllers or processors must appoint a DPO in the following circumstances:
• Processing by public authority or body, except courts
• Core activities require regular and systematic monitoring of data subjects on a large scale
• Core activities include processing on a large scale of special categories of data
The officer may be a staff member or contractor.
The DPO may be appointed by a single entity or a group of entities.
The DPO does not need to be a resident within Abu Dhabi Global Market.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance
• Raise organizational awareness and train staff
• Advise organization on data protection impact assessments
• Cooperate with the Commissioner of Data Protection
• Serve as contact point for data subjects and the commissioner
|
| Training or expertise |
The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| United Kingdom | |
|---|---|
| Legal Instrument |
U.K. General Data Protection Regulation – Articles 37-39 |
| Scope |
The following entities must appoint a DPO:
• Public authorities or bodies, except courts
• Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale
• Controllers or processors whose core activities include processing on a large scale of special categories of data
The officer can be a staff member or contractor.
|
| Tasks |
• Inform and advise on data protection requirements
• Monitor compliance with the data protection law
• Advise organization on data protection impact assessments
• Cooperate with the Information Commissioner’s Office
• Serve as contact for individuals and ICO
|
| Training or expertise |
The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
| United States | |
|---|---|
| Legal Instrument |
Health Insurance Portability and Accountability Act – Section 164.530(a)(1) |
| Scope | HIPAA-covered entities must appoint a DPO. |
| Tasks | Develop and implement the policies and procedures of the entity |
| Uzbekistan | |
| Legal Instrument |
Law of the Republic of Uzbekistan About Personal Data – Article 31 |
| Scope | Entities delegate a structural unit or official responsible for ensuring that data is protected and processed in accordance with the standard. |
| Training or expertise |
The “Standard Procedure for organizing the activities of a structural unit or authorized person” is approved by the relevant state body. |
| Uruguay | |
|---|---|
| Legal Instrument |
Law 19670 – Article 40 |
| Scope |
The following entities must appoint a DPO:
• Public entities
• Fully or partially state-owned private entities, and private entities that process sensitive data as their main business and those that process large volumes of data (concerning more than 35,000 people)
They can be a staff member or a contractor but must have full access to personal databases and processing operations.
|
| Tasks |
• Advise on the formulation, design and application of data protection policies
• Supervise compliance with regulations
• Propose measures to conform to the regulations and international standards on data protection
• Liaise with the regulator
• Other tasks as assigned, which do not conflict with mandated duties
|
| Training or expertise |
A DPO must have the necessary qualifications to perform their duties, including accredited expertise in law and specialized knowledge in the protection of personal data. |
| Zambia | |
|---|---|
| Legal Instrument |
Data Protection Act 2021 – Article 48 |
| Scope | Data controllers and processors must appoint a DPO “in accordance with the guidelines issued by the Data Protection Commissioner.” |
| Zimbabwe | |
| Legal Instrument |
Data Protection Act – Article 20 |
| Scope | Controllers are not required to appoint a DPO, but those who do may be exempted from certain notification requirements. |
| Tasks |
• Ensure that the data controller complies with data protection laws and regulations
• Facilitate requests submitted to the controller
• Coordinate with the DPA
|
Download the list on this link.
Conclusion
Many privacy laws worldwide require organisations to appoint a Data Protection Officer (or an equivalent privacy role), and the “rules of the game” change by country, including whether you must notify a regulator or publish DPO contact details.
If you’re unsure whether you need a DPO or if you need the role covered consistently across multiple jurisdictions, GDPRLocal can help with DPO support, privacy program implementation, and GDPR Article 27 Representative services (EU/UK), so you can meet requirements without building everything in-house.
Contact
Nikola Bundevski – Senior Customer Success Manager
Phone number: +44 1772 217800
Email: [email protected]
Book a meeting: https://meetings.hubspot.com/nick-bundevski
Frequently Asked Questions
When is a DPO mandatory?
It depends on the law and your processing activities. For example, under the United Kingdom GDPR, a DPO is required for public authorities (with limited exceptions) and for organisations whose core activities involve large-scale monitoring or large-scale processing of special category data.
Can our DPO be external (outsourced), or must it be an employee?
In many frameworks, the DPO can be either internal or external. Under the GDPR model, the DPO may be an internal employee or an external appointment, but they must have expert knowledge and operate independently to avoid conflicts of interest.
What does a DPO actually do?
While duties vary by jurisdiction, a common baseline includes advising the organisation on data protection requirements, monitoring compliance, advising on impact assessments, and cooperating with / serving as a contact point for regulators (e.g., the Information Commissioner’s Office in the UK).
Source: https://iapp.org/ – Data Protection Officer Requirements by Country