The role of a Data Protection Officer (DPO) has evolved from a best-practice recommendation to a mandatory legal requirement across dozens of jurisdictions. As organizations navigate the complexities of the GDPR in Europe, the LGPD in Brazil, and emerging frameworks like India’s DPDP Act, understanding when and how to appoint a DPO is critical to avoiding significant non-compliance penalties . This Captain Compliance Edition of the Global DPO Requirements provides a streamlined analysis of key jurisdictions, detailing the specific legal instruments, the scope of mandatory appointments, essential DPO tasks, required expertise, and notification protocols. Whether you are managing large-scale monitoring or processing sensitive biometric data, this guide ensures your organization remains audit-ready and legally sound so you can follow for every location around the world what the DPO requirements are.
A Data Protection Officer acts as a central figure in an organization’s privacy framework, serving as an independent advocate for data subjects and a bridge to regulatory authorities. Their primary responsibility is to monitor internal compliance with laws like the GDPR or LGPD, which includes overseeing data protection audits, training staff, and advising on Data Protection Impact Assessments (DPIAs). They also serve as the main point of contact for individuals exercising their data rights and for supervisory authorities during investigations. By ensuring that privacy-by-design principles are embedded into every business process, the DPO helps organizations mitigate legal risks and build long-term trust with their users.
| Data Protection Officer (DPO) Requirements by Country — Captain Compliance Edition | |||||
| Country / Jurisdiction | Legal instrument | Scope (when DPO required) | DPO tasks | Training / expertise | Registration / notification |
| Australia | Privacy APP Code 2017 (Article 10) |
• Government agencies, except ministers, must appoint a privacy officer. • An agency may have one or more privacy officers. • The privacy officer may serve as the required privacy champion, which must be a senior official within the agency, or the two positions may be separate. |
• Provide advice on privacy matters • Handle privacy inquiries, complaints and requests related to personal information • Maintain a record of the agency’s PI holdings • Assist with privacy impact assessments and maintain the agency’s register of such assessments • Assess the agency’s performance against the privacy management plan at least annually |
• The Office of the Australian Information Commissioner’s “Privacy Officer Toolkit” describes useful skills and expertise and offers resources for privacy officers. |
|
| Albania | Law no. 124/2024 (“On Personal Data Protection”) – Articles 33-34 |
• The following entities must designate a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing sensitive data/ criminal records on a large scale › Controllers or processors whose core activities involve processing sensitive data/ criminal records on a large scale • Groups of companies can have the same DPO so long as each member can easily access the officer. |
• Provide advice on data protection issues • Assist with impact assessment activities required by the law • Advise on awareness-raising and training of staff that engage in data processing • Monitor compliance with the law • Communicate with the Commissioner for the Right to Information and Personal Data Protection • “[P]ay due attention to the risk of infringement of fundamental rights and freedoms” that could result from data processing |
• The DPO must have professional qualities, including knowledge of data protection laws/practices. • Training is provided by the Albanian School of Public Administration or higher education institutions/ professional organizations that specialize in personal data protection. |
|
| Algeria | Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data Law No. 11-25, Amending and Supplementing Law 18-07 |
• The amending law (No. 11- 25) mandates that all data controllers appoint DPOs. Courts are exempt. |
• Ensure that personal data is protected against destruction, loss, alteration or unauthorized access. • Assist with data protection impact assessments as required by law for high-risk processing • Coordinate and communicate with the National Authority |
||
| Andorra | Law 29/2021, of October 28, on the protection of personal data – Article 38 |
• The following entities must appoint a DPO: › Public authorities, except courts › Companies or organizations that process personal data, including automated processing that may have legal effects for natural persons; special categories of data on a large scale; or “a considerable amount of personal data of a national or supranational scope” • Groups of companies can have the same DPO so long as each member can easily access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise covered entities about the law • Monitor policies related to data protection • Raise awareness and train staff • Provide advice related to impact assessments and ensure implementation • Communicate with the supervisory authority |
• The DPO must have professional qualities, knowledge of the law and practice in data protection matters. |
Within 10 days of appointment |
| Åland Islands (GDPR) | General Data Protection Regulation (Articles 37-39) |
• The following entities must appoint a DPO: › Public authorities or bodies processing data, except courts › Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data › Where required by EU member state law • DPO may be a staff member or contractor. • They must be resourced to carry out tasks and maintain expertise and report to highest management level. • The DPO must not receive instructions or dismissal with regard to their tasks. • They are bound by confidentiality. |
• Inform and advise on data protection requirements • Monitor compliance • Advise the organization on data protection impact assessments • Cooperate and communicate with the DPA and individuals |
• The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| Barbados | Data Protection Act, 2019-29 – Section 67-69 |
• The following entities must appoint a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing sensitive data on a large scale • Groups of companies can have the same DPO so long as each member can easily access the officer. • Multiple public authorities can also rely on one DPO. • DPOs may be staff members or contractors. |
• Advise controllers and processors about their legal obligations under the data privacy law • Monitor compliance with the law and with the controller’s policies • Assist with the data protection impact assessment as requested and monitor performance • Cooperate and coordinate with the Data Protection Commissioner |
• The DPO must have professional qualities, including expert knowledge of data protection law. |
|
| Belarus | The Belarusian Data Protection Act – Article 17 |
• All operators, which includes public authorities, “legal person[s] of the Republic of Belarus,” and other organizations that process personal data, must appoint a DPO. |
• Operators must appoint a DPO or establish a structural unit to comply with the law. |
||
| Belize | Data Protection Act, 2021 – Articles 65-67 |
• The following entities must designate a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systemic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing sensitive data on a large scale • The DPO may be a staff member or contractor. • Groups of companies can have the same DPO so long as each member can easily access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise controllers and processors about their legal obligations • Monitor compliance with the law and with the controller’s policies • Assist with the data protection impact assessment as requested and monitor performance • Cooperate and coordinate with the commissioner |
• The DPO must have professional qualities, including expert knowledge of data protection law and practices. |
|
| Benin | Digital Code – Article 430 |
• The following entities must appoint a DPO: › Public organizations › Controllers and processors whose core activities require monitoring subjects or processing sensitive data on a large scale |
• Entities that have a DPO are exempt from notifying the APDP of data processing under Article 480. |
||
| Bermuda | Personal Information Protection Act 2016 – Article 5 |
• Organizations, which include public and private entities that use personal information, must designate a privacy officer. • Organizations can share a privacy officer if they are under common ownership or control. • The privacy officer can then “delegate his duties” to others. |
• Take responsibility for compliance with the act • Communicate with the commissioner |
Publish to individuals |
|
| Brazil | Brazilian General Data Protection Law – Article 41 |
• Controllers must appoint a DPO. |
• Receive and respond to complaints • Communicate with the DPA • Educate staff and contractors on personal data protection practices • Conduct other duties as prescribed by controller or set forth in DPA rules |
||
| Cabo Verde | Law 133/V/2001 on the Protection of Personal Data |
• The following entities must appoint a DPO: › Public bodies, except courts › Controllers or processors whose core activities require systemic/regular monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing special categories of data on a large scale or data involving criminal convictions and offenses |
|||
| Canada | Personal Information Protection and Electronic Documents Act |
• Organizations must designate an accountable individual. • Organizations include an association, partnership, person and trade union; the law applies to the personal information that they collect, use or disclose in the course of commercial activities. • The organization can delegate multiple accountable individuals. • Other individuals may act on behalf of the designated individual. |
• Oversee and be accountable for the organization’s compliance with the act’s principles • Handle complaints or inquiries from individuals |
Publish to individuals |
|
| China | Personal Information Protection Law Cyberspace Administration of China – Announcement of July 18, 2025 |
• Entities that process personal information of more than 1 million individuals must appoint a DPO. |
• Take personal responsibility for supervising personal information handling activities • Ensure total compliance with the PIPL • Facilitate compliance audits as required by the PIPL |
• The DPO must have professional qualifications related to personal information protection laws. |
|
| Colombia | Law 158 of 2012 Decree 1377 of 2013 National Level |
• Controllers and processors must designate a person or area to perform data protection functions. |
• Take responsibility for the personal data protection program • Handle data subjects’ requests |
Include in privacy notice |
|
| Cote D’lvoire | Law 2013-450 on the Protection of Personal Data |
• DPOs are not required, but certain obligations are waived if the person responsible for the processing of information designates a correspondent for the protection of personal data. |
• Take responsibility for managing documents related to the processing of personal data so that they are available for individuals upon request |
• The requirements for correspondents differ depending on whether the individual is a “natural person” or a legal person. • Requirements generally include status under Ivorian law, education and experience in the field, other skills and qualifications, a clean criminal record and employment as a staff member who meets certain criteria. |
|
| Ecuador | Ley Orgánica de Protección de Datos Personales (“Personal Data Protection Law”) |
• The following must appoint a DPO: › Public authorities › Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing on a large scale of special categories of data • Multiple entities can have the same DPO so long as there is no conflict of interest. • The officer must report to the highest management level and cannot be disciplined or fired for performing their functions. |
• Advise controllers and processors on compliance with data protection law • Monitor compliance with the law and internal policies • Assist with data protection impact assessments where requested • Communicate and cooperate with the Superintendence of Data Protection |
||
| Egypt | Personal Data Protection Law Articles 8-9 |
• The legal representative of any controller or processor must appoint a DPO for that legal entity. |
• Take charge of application of the law • Monitor compliance and procedures • Receive and respond to data subjects’ requests • Evaluate personal data protection systems, document results and issue recommendations • Maintain personal data records • Take corrective actions for violations • Train staff • Implement security procedures • Liaise with the DPA, notify DPA of infringements and implement decisions |
• The DPO must be a competent employee of the entity. |
|
| Ethiopia | Personal Data Protection Proclamation No. 1321/2024 – Section 40 |
• The following entities must designate a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing sensitive data on a large scale • Multiple entities can have the same DPO so long as each member can easily access the officer. • Multiple government bodies can have the same DPO. |
• Assist the processor and controller in complying with legal data processing requirements • “Facilitate capacity building” of the staff that performs data processing • Assist with the data protection impact assessment as required • Communicate with the DPA |
• The DPO must have academic and professional qualifications. |
|
| EU And Eea Member States | General Data Protection Regulation (Articles 37-39) |
• The following entities must appoint a DPO: › Public authority or body processing data, except courts › Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data › Where required by EU member state law • The DPO can be a staff member or contractor. • They must be resourced to carry out tasks and maintain expertise. • The DPO must report to highest management level. • The DPO must not receive instructions or dismissal with regard to their tasks. • They are bound by confidentiality. |
• Inform and advise on data protection requirements • Monitor compliance • Advise organization on data protection impact assessments • Cooperate with the DPA • Serve as contact for individuals and the DPA |
• The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| Faroe Islands | Act on the Protection of Personal Data, Act no. 80 of 7, June 2020 – Articles 53-58 |
• The following entities must designate a DPO: › Public authorities › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing sensitive data on a large scale • Multiple companies can have the same DPO so long as each member can access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise controllers and processors about their legal obligations • Monitor compliance with data protection laws/provisions • Assist with the data protection impact assessment as requested and monitor performance • Cooperate and coordinate with the DPA |
• The DPO must have professional qualities, including expert knowledge of data protection law and practices. |
|
| Gabon | Law No. 025/2023 of 09/07/2023 amending Law No. 001/2011 of September 25, 2011, on the protection of personal data |
• The following entities must designate a DPO: › Public bodies, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing special categories of data on a large scale or data involving criminal convictions and offences |
• Advise on compliance with the data protection law and monitor for compliance • Assist with data protection impact assessments • Cooperate with the DPA |
• The DPO must be qualified based on knowledge of the law and data protection. |
|
| Georgia | Law of Georgia on Personal Data Protection – Article 33 |
• Controllers/processors that process data or monitor behavior on a large scale must designate a DPO, as well as the following specific entities: › Public institutions › Insurance organizations › Commercial banks › Micro-finance organizations › Credit bureaus › Electronic communication companies › Airlines/airports › Medical institutions • The DPO may be an employee or contractor; they may be permitted to hold other positions so long as there is no conflict of interest. |
• Advise controllers and processors on data protection • Help develop internal regulations and assist with data protection impact assessments as required • Handle applications and requests related to data processing • Coordinate and communicate with the Personal Data Protection Service • Provide individuals with their data processing rights as requested |
• The DPO must have appropriate knowledge of data protection. |
|
| Ghana | Data Protection Act – Section 58 |
• Data controllers may appoint a data protection supervisor. • The supervisor may be an employee. |
• Monitor compliance with the act |
• The DPO must be certified and qualified; criteria will be specified by the commission. |
|
| Gibraltar | Data Protection Act 2004 – Articles 78-80 |
• Any controller, unless it is a court or other judicial authority, must designate a DPO. • Multiple controllers can have the same DPO. |
• Advise controllers and processors on their legal obligations • Assist with data protection impact assessments required by the law • Cooperate and coordinate with the commissioner • Monitor compliance with the internal policies of the controller and the data protection law |
• The DPO must have expert knowledge of data protection law and practices and the ability to perform the required tasks. |
|
| Guernsey | The Data Protection (Bailiwick of Guernsey) Law, 2017 – Part VIII |
• The following entities must designate a DPO: › Public authorities, except courts › Controllers or processors whose core activities require/ involve monitoring data subjects systemically or on a large scale › Controllers or processors whose core activities involve processing special category data on a large scale • Other controllers or processors may voluntarily designate a DPO. • Multiple public authorities can rely on a single DPO. • Multiple controllers and processors can also have the same DPO so long as each member can access the officer and the DPO’s time is adequately divided among members. |
• Advise on the legal duties of the controller/processor as it relates to data protection • Monitor compliance with all relevant data protection laws as well as the policies of the entity • Advise on data protection impact assessments as requested • Communicate and coordinate with the DPA |
• DPOs must have professional skills, knowledge and abilities. |
|
| India | Digital Personal Data Protection Act |
• Significant data fiduciaries — those designated by the government based on factors such as the volume and sensitivity of data processed and the risk to individuals/the state — must appoint a DPO. • The DPO must be based in India. |
• Represent the covered entity as it relates to the Digital Personal Data Protection Act • Be the point of contact for the governing body and for individuals using the “grievance redressal mechanism” |
• DPOs must have professional skills, knowledge and abilities. |
|
| Indonesia | Law No. 27 of 2022 regarding Personal Data Protection (“PDPL”) |
• The following entities must appoint a DPO: › Controllers and processors who process personal data for public service purposes › Controllers or processors who perform systematic monitoring of data subjects on a large scale › Controllers or processors who process personal data on criminal activity |
• Inform and advise on data protection requirements • Monitor compliance with the data protection law and internal policies • Advise organization on data protection impact assessments • Cooperate and communicate with the DPA and individuals |
||
| Isle Of Man (GDPR) | General Data Protection Regulation (Articles 37-39) |
• The following entities must appoint a DPO: › Public authorities or bodies that process data, except courts › Controllers or processors whose core activities require regular and systematic monitoring of data subjects on a large scale or include processing on a large scale of special categories of data › Where required by EU member state law • The DPO may be a staff member or contractor. • They must be resourced to conduct tasks and maintain expertise. • The DPO must report to highest management level. • The DPO must not receive instructions or dismissal with regard to their tasks. • The DPO is bound by confidentiality. |
• Inform and advise on data protection requirements • Monitor compliance • Advise organization on data protection impact assessments • Cooperate and communicate with the DPA and individuals |
• The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| Israel | Protection of Privacy Regulations 5777-2017 (pursuant to Article 36 of the Protection of Privacy Law 5741-1981) |
• The following entities must appoint a data security officer under the privacy law/ regulations: › “(1) a possessor of five databases that require registration under section 8; › (2) a public body as defined in section 23; › (3) a bank, an insurance company, a company involved in rating or evaluating credit.” • The data security officer reports to the individual who manages the database. |
• Create security procedures for the database • Develop and implement a plan for compliance with the laws and regulations |
• The security supervisor cannot be someone “convicted of an offense involving moral turpitude or an offense of the provisions of this Law.” |
|
| Jamaica | Data Protection Act, 2020 – Article 20 |
• The following entities must appoint a DPO: › Public authorities › Data controllers who process sensitive personal data or data involving criminal convictions |
• Ensure that controllers comply with data privacy standards • Communicate and consult with the commissioner • Correct violations of the data privacy law • Assist data subjects in exercising their rights |
• The DPO must be appropriately qualified and cannot have any conflicts of interest. |
|
| Jersey | Data Protection (Jersey) Law 2018 – Part 5 |
• The following entities must appoint a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing special category data on a large scale › Other entities as required by law • The DPO can be an employee or contractor. • A group of controllers or processors, including public authorities, can have the same DPO so long as the officer is easily accessible to data subjects, the DPA and individual controllers/ processors. |
• Advise controllers and processors about their legal obligations • Monitor for compliance with data protection laws/provisions and internal policies, including staff training • Assist with data protection impact assessments as requested • Serve as the point of contact for data subjects seeking to exercise their rights under the data protection law • Cooperate and coordinate with the DPA |
• The DPO must be qualified with expert knowledge of data protection law and practices. |
|
| Jordan | Personal Data Protection Law No. 24 of 2023 – Article 11 |
• The following entities must appoint a DPO: › Controllers whose primary activity is to process personal data › Those who process sensitive personal data, the data “of persons who lack legal capacity,” or data “that includes financial information” › Those transferring data outside Jordan › Other instances in which the Personal Data Protection Council decides that a controller must appoint a DPO |
• Monitor data protection processes to ensure compliance with data privacy laws and regulations • Facilitate “a regular evaluation and examination for the Data Bases systems, the Data Processing Systems and the Systems for the protection of security and integrity and protection of the Data” and implement recommendations as a result • Coordinate and communicate with the relevant authorities • Coordinate data access requests and allow data subjects to exercise their rights under the data protection law |
||
| Kazakhstan | No. 94-V (“On Personal Data and their Protection”) – Article 25 |
• Owners and operators who are legal entities must appoint a person responsible for organizing the processing of personal data, unless the processing is part of court proceedings. |
• “Exercise internal control over the observance by the owner and/or operator” to ensure that they are complying with the data protection law • Explain the legal requirements imposed by the law • Coordinate the “appeals from persons or their legal representatives” |
If breached | |
| Kenya | Data Protection Act No. 24 of 2019 – Article 24 |
• The following entities must appoint a DPO: › Public or private bodies, except for courts acting in their judicial capacity › Controllers or processors whose core activities require regular/systematic monitoring of data subjects › Controllers or processors whose core activities involve processing sensitive personal data • The DPO can be a staff member and may have other duties so long as they do not create a conflict of interest. • Multiple public authorities can rely on a single DPO. • Multiple controllers and processors can also have the same DPO so long as each member can easily access the officer. |
• Advise on data processing requirements under the data protection law • Ensure that the controller or processor complies with the law • Facilitate capacity building of staff involved in data processing operations • Assist with data protection impact assessments • Communicate and coordinate with the Data Protection Commissioner |
• A qualified DPO will have knowledge and technical skills in matters relating to data protection. |
|
| Kosovo | LAW NO. 06/L-082 ON THE PROTECTION OF PERSONAL DATA – CHAPTER X |
• The following entities must appoint a DPO: › Public bodies, except courts › Controllers or processors whose core activities require systemic/regular monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing special categories of data on a large scale or data involving criminal convictions and offenses • The DPO can be an employer or a contractor. • Groups of companies can have the same DPO so long as each member can access the officer. • Multiple public bodies can also rely on one DPO. |
• Advise controllers and processors about their legal obligations • Assist with data protection impact assessments as appropriate • Cooperate and coordinate with the Information and Privacy Agency |
• The DPO must have professional qualifications, including expertise in data protection law. |
|
| Malaysia | Personal Data Protection Act Amendment of 2024 |
• Controllers and processors must appoint one or more DPOs. |
• Remain accountable for compliance with the data protection law |
||
| Mauriitus | Data Protection Act 2017 – Section 22(2)(e) |
• Every controller must designate an officer as part of their duties under the act. |
• Take responsibility for data protection compliance |
||
| Mexico | Federal Law on Protection of Personal Data Held by Private Parties – Article 30 |
• All data controllers must designate a person or department responsible for data protection. |
• Process requests from data subjects • Promote data protection within the organization |
||
| Montenegro | Personal Data Protection Law 79/08 and 70/09 English translation |
• Controllers who establish an automatic personal data filing system must appoint a responsible person, unless they have fewer than 10 employees conducting personal data processing. |
|||
| New Zealand | Privacy Act 2020 – Part 9, Section 201 |
• Agencies must appoint one or more privacy officers. • An agency that is an individual collecting or holding personal information solely in connection with the individual’s personal/domestic affairs is exempt. • The individual may be within or outside the agency. |
• Encourage compliance with the Information Privacy Principles • Handle individual requests made to the agency • Liaise with the DPA on investigations • Ensure compliance with the act |
||
| Nigeria | Data Protection Regulation 2019- Section 3.1.2 |
• Every data controller must designate a DPO. • The DPO must be a staff member or contracted firm/ individual. |
• Ensure compliance with the regulation and the controller’s data protection directives |
• DPOs and those involved in data processing must continuously participate in capacity building. |
|
| North Macedonia | Law on Personal Data Protection – Articles 41-43 |
• The following entities must designate a DPO: › State administration bodies, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing special categories of data on a large scale or data involving criminal convictions and offenses • The DPO can be an employee or contractor. • Groups of companies can have the same DPO so long as each member can easily access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise controllers and processors about their legal obligations • Monitor compliance with data protection laws/regulations, as well as the policies of the controller or processor • Assist with data protection impact assessments as requested • Cooperate and coordinate with the Personal Data Protection Agency |
• The DPO must have professional qualities, including expert knowledge of personal data protection law. • The law includes additional requirements, including command of Macedonian, a record free of convictions, a certain level of education and practical skills. |
|
| Panama | Law No. 81 on Personal Data Protection 2019 |
• Governmental entities and banks must appoint a DPO. |
|||
| Philippines | Data Privacy Act of 2012 – Section 21(b) |
• Personal information controllers must designate an accountable individual. • The organization can designate one or more individuals. |
• Account for the organization’s compliance with the act |
Upon request | |
| Republic Of Congo | Law 29-2019 on the Protection of Personal Data |
• The following entities must designate a DPO: › Public entities › Entities that process particular data on a large scale or whose operations require regular and systemic follow-up |
|||
| Republic Of Moldova | Law No. 195 of 25-07- 2024 on the protection of personal data – Section 4 (Articles 37-39) |
• The following entities must designate a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose main activities include processing special categories of data on a large scale or data involving criminal convictions and offenses • The DPO can be an employee or a contractor. • Groups of companies can have the same DPO so long as each member can access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise controllers and processors about their legal obligations • Monitory compliance with data protection laws and the controller’s policies • Assist with data protection impact assessments as requested • Cooperate and coordinate with the National Centre for Personal Data Protection |
• The DPO must have professional qualifications including specialist knowledge of and practice in the field of personal data protection. |
|
| Russia | Data Protection Act – Section 22.1.1 |
• Operators, which are legal entities, must appoint a DPO. • The DPO must be accountable to the operator’s executive body. |
• Organize the processing of personal data • Exercise internal control over compliance with personal data- related legislation • Educate the operator and employees regarding personal data-related requirements • Handle data subject requests |
||
| Rwanda | Law No. 058/2021 – Protection of Personal Data and Privacy Law – Article 41 |
• The following entities must designate a DPO: › Public bodies, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing sensitive personal data and data relating to convictions • Groups of companies can have the same DPO so long as each member can access the officer. • Multiple public authorities can also rely on one DPO. • The DPO may be a staff member or contractor. |
• Advise controllers and processors about their legal obligations • Monitor compliance with data protection laws/regulations • Assist with data protection impact assessments as requested • Cooperate and coordinate with supervisory authorities |
• The DPO must have professional qualities and expert knowledge of personal data protection. |
|
| San Marino | Law 171/2018 – Articles 38-40 |
• The following entities must designate a DPO: › Public authority or body processing data, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing on a large scale of special categories of data • The DPO can be a staff member or contractor. • They must be resourced to carry out tasks and maintain expertise, and report to highest management level. • The DPO must not receive instructions or be dismissed with regard to the performance of their tasks. • They are bound by confidentiality. |
• Inform and advise on data protection requirements • Monitor compliance with the data protection law and internal policies of the controller • Advise organization on data protection impact assessments • Train staff • Cooperate with the DPA • Serve as contact for individuals and the DPA |
• DPOs must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| Saudi Arabia | Personal Data Protection Law The Implementing Regulation of the PDPL |
• The following entities must appoint a DPO: › Public entities that process personal data on a large scale › Controllers or processors whose core activities require regular/continuous monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing sensitive data • The DPO can be a staff member or contractor. |
• Monitor and ensure that the PDPL is implemented • Communicate with the competent authority • Assist with “impact assessment procedures, audit reports, and evaluations” • Enable data subjects to exercise their rights under the PDPL |
||
| Serbia | Law on Protection of Personal Data – Articles 56-58 |
• The following entities must implement a DPO: › Public authorities, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses • The DPO can be a staff member or contractor. • They must report to the head controller or processor. |
• Inform and advise on data protection requirements • Monitor implementation of the law and regulations on protection of personal data • Advise, when requested, on data protection impact assessment and actions taken based on assessment • Cooperate and communicate with the commissioner and data subjects • Maintain confidentiality of personal data |
• The DPO must have professional knowledge, experience in the field and the ability to perform required tasks. |
|
| Singapore | Personal Data Protection Act – Section 11(3) |
• To comply with the law, organizations must designate individual(s) to be responsible for ensuring compliance. • Organizations include any individual, company, association, or body of persons. • The data protection law governs the collection, use and disclosure of personal data by organizations. • The duties can be performed by one person or a team. |
• Ensure that the organization complies with the data protection law |
PDPC DPO Competency Framework and Training Roadmap |
|
| South Africa | Protection of Personal Information Act – Chapter 5, Part B |
• Public and private bodies must designate an information officer, as well as any deputy information officers that are needed. |
• Encourage lawful processing of personal information • Handle individual requests • Coordinate and communicate with regulator on investigations • Otherwise ensure compliance with the act and perform additional duties as prescribed |
||
| South Korea | Personal Information Protection Act – Article 31(1) |
• Personal information controllers must designate a privacy officer. |
• Take charge of data processing • Establish a data protection plan • Survey data processing practices and improve data processing • Address grievances with data processing • Build controls to prevent misuse of personal data • Educate staff about data protection • Protect, control and manage data files • Implement corrective measures for violations and report them to head of organization |
||
| Seychelles | Data Protection Act, 2023 – Articles 45-46 |
• The following entities must designate a DPO: › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities involve processing special categories of data on a large scale • Multiple data controllers can designate the same individual as their DPO. |
• Monitor data protection processes to ensure compliance with data privacy laws • Coordinate and communicate with the commission • Communicate with data subjects and handle disputes |
• A qualified DPO will have knowledge of data protection law and practice in the field. |
|
| Sri Lanka | Personal Data Protection Act, No. 9 of 2022 – Article 20 |
• The following entities must appoint a DPO: › Ministries, government departments, or public corporations (except courts) › Controllers or processors whose core activities require regular/systematic monitoring of data subjects › Controllers or processors whose core activities involve processing special categories of data › Controllers or processors whose core activities include processing that results “in a risk of harm affecting the rights of the data subjects protected under this Act” • Groups of companies can have the same DPO so long as each member can access the officer. • Multiple public authorities can also rely on one DPO. |
• Advise controllers and processors about their legal obligations and ensure compliance with the data privacy law • Coordinate capacity building of staff for data processing • Assist with personal data protection impact assessments • Cooperate with the DPA |
• The DPO must be academically and professionally qualified, including “competency and capacity to implement strategies and mechanisms to respond to inquiries and incidents related to processing of personal data.” |
|
| Tanzania | Personal Data Protection Act – Section 27(3) The Personal Data Protection Regulations, 2023 |
• Controllers and processors must appoint a DPO. |
• Ensure that processing complies with the data protection law • Facilitate applications and complaints from data subjects • File quarterly compliance reports to the commission • Report violations of the Personal Data Protection Act or the Regulations |
||
| Thailand | Personal Data Protection Act – Sections 41-42 |
• The following entities must designate a DPO: › Controllers or processors that are public authorities › Controllers or processors whose activities require regular monitoring of personal data on a large scale › Controllers or processors whose core activities involve processing sensitive data • Affiliated controllers and processors can designate a single DPO. • The officer can be a staff member or contractor but must be provided with adequate tools, equipment and data access. • The DPO must report to the chief executive and be protected from dismissal for performing tasks. |
• Give advice with respect to compliance with the act • Investigate data processing for compliance with the act • Cooperate with the regulator • Maintain confidentiality of personal data • Other duties as assigned that do not conflict with duties under the act |
• Regulators may prescribe qualifications related to knowledge or expertise. |
|
| Uganda | Data Protection and Privacy Act – Article 6 |
• Institutions (i.e., covered entities other than individuals or public bodies) must appoint a DPO. |
• Ensure compliance with the act | ||
| Ukraine | Data Protection Law – Article 24(2) |
• The following entities must appoint a DPO: › State and local governments › Controllers and processors that process data of particular risk to the rights and freedoms of data subjects. › The law excludes sole traders, including doctors, attorneys, and notaries, which are personally responsible. |
• Organize the work related to personal data protection • Inform and advise the controller or processor on observance of the legislation • Cooperate with the Ukrainian Parliament Commissioner for Human Rights and appointed officials on compliance |
||
| United Arab Emirates (abu Dhabi) | ADGM Data Protection Regulations – Articles 35-37 |
• Controllers or processors must appoint a DPO in the following circumstances: › Processing by public authority or body, except courts › Core activities require regular and systematic monitoring of data subjects on a large scale › Core activities include processing on a large scale of special categories of data • The officer may be a staff member or contractor. • The DPO may be appointed by a single entity or a group of entities. • The DPO does not need to be a resident within Abu Dhabi Global Market. |
• Inform and advise on data protection requirements • Monitor compliance • Raise organizational awareness and train staff • Advise organization on data protection impact assessments • Cooperate with the Commissioner of Data Protection • Serve as contact point for data subjects and the commissioner |
• The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| United Kingdom | U.K. General Data Protection Regulation – Articles 37-39 |
• The following entities must appoint a DPO: › Public authorities or bodies, except courts › Controllers or processors whose core activities require regular/systematic monitoring of data subjects on a large scale › Controllers or processors whose core activities include processing on a large scale of special categories of data • The officer can be a staff member or contractor. |
• Inform and advise on data protection requirements • Monitor compliance with the data protection law • Advise organization on data protection impact assessments • Cooperate with the Information Commissioner’s Office • Serve as contact for individuals and ICO |
• The DPO must have professional qualities, expert knowledge of data protection law and practices and the ability to fulfill legally mandated tasks. |
|
| United States | Health Insurance Portability and Accountability Act – Section 164.530(a)(1) |
• HIPAA-covered entities must appoint a DPO. |
• Develop and implement the policies and procedures of the entity |
Record of designation |
|
| Uruguay | Law 19670 – Article 40 | • The following entities must appoint a DPO: › Public entities › Fully or partially state-owned private entities, and private entities that process sensitive data as their main business and those that process large volumes of data (concerning more than 35,000 people) • They can be a staff member or a contractor but must have full access to personal databases and processing operations. |
• Advise on the formulation, design and application of data protection policies • Supervise compliance with regulations • Propose measures to conform to the regulations and international standards on data protection • Liaise with the regulator • Other tasks as assigned, which do not conflict with mandated duties |
• A DPO must have the necessary qualifications to perform their duties, including accredited expertise in law and specialized knowledge in the protection of personal data. |
Within 90 days of appointment |
| Uzbekistan | Law of the Republic of Uzbekistan – About Personal Data – Article 31 |
• Entities delegate a structural unit or official responsible for ensuring that data is protected and processed in accordance with the standard. |
• The “Standard Procedure for organizing the activities of a structural unit or authorized person” is approved by the relevant state body. |
||
| Vietnam | Law on Personal Data Protection |
• Controllers and processors that process sensitive personal data must appoint a DPO. |
|||
| Zambia | Data Protection Act, 2021 – Article 48 |
• Data controllers and processors must appoint a DPO “in accordance with the guidelines issued by the Data Protection Commissioner.” |
|||
| Zimbabwe | Data Protection Act – Article 20 |
• Controllers are not required to appoint a DPO, but those who do may be exempted from certain notification requirements. |
• Ensure that the data controller complies with data protection laws and regulations • Facilitate requests submitted to the controller • Coordinate with the DPA |
||
