The European Union had recently reached an important milestone in its reform of data protection law. The European Parliament had voted in favor of the Proposal of Data Protection Regulation (find full text here).
The Regulation introduces a mandatory data protection officer for the public sector and for large enterprises. The legal regulation of data protection officer had already been described at data & it law.
This article gives an international comparison of the regulation of the Data Protection Officer.
The majority of countries do not require the appointment of a Data Protection Officer…
In many cases, there is no regulation of a data protection officer at all.
On the other hand, although some countries do not require the mandatory appointment of a data protection officer, their legislation regulates its rights and obligations.
In France, the task of a data protection officer is to ensure compliance with the legal obligations. The Officer might also be liable for its activities. The similar situation is in Luxembourg or Switzerland, in which the appointment of data protection officer may exempt the data controller from notification obligations.
…but some do!
Some countries require the appointment of a data protection officer in a broad range of potential data security breaches. In Canada, an organization is expressly obliged to appoint an individual responsible for the compliance with data protection legislation. In India, it is necessary to appoint a ‘grievance’ officer.
Similar legislation requirements are in Korea, Turkey, Ukraine, Russia, South Africa or Mexico with different kinds of responsibilities. They include the performance of internal controls, dealing with requests, education within the company, etc.
In some countries, legislation requires the appointment of a data protection officer only under certain criteria. For example, in Germany the appointment is mandatory, if the company employs more employees than specified in the legislation. The law also distinguishes between automated and non-automated processing.
In Hungary, the appointment is mandatory in cases of national authorities, financial organizations or telecommunications providers. The Hungarian legislation also requires a high standard of education and practice. In the United States, there is an obligation to appoint an officer to ensure organization’s compliance.
The principles in the EU Proposal of the Regulation
Pursuant to Article 35 of the Proposal, the data controller or processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
(b) the processing is carried out by an enterprise employing 250 persons or more; or
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
Accordingly, EU legislation would require to appoint the data protection officer in specific cases. In other cases, EU grants a non-mandatory approval pursuant to the Article 35(4) of the Proposal.
In many EU Member states, the legal regulation of data protection officer had not existed before the Proposal. On the other hand, in many other states, the requirements would in reality lower.
Therefore, the final solution would depend on the specific experience of the company with its officer, its costs and benefits for the company.
The legal regulation of a Data Protection Officer differs from country to country. Some countries do not regulate the issue at all, some do not require a mandatory appointment. On the other hand, some countries require a very broad appointment of a Data Protection Officer, whereas other countries only in specific cases.
EU Regulation would unify the legislation within the European union. In order to transfer personal data of EU citizens outside of the EU, the data controller must ensure the same level of protection as in the EU. Accordingly, the Regulation might indirectly lead to the greater use of data protection officer in the whole world.
Would it be necessary for a non-EU company to appoint a data protection officer to satisfy the requirement? Feel free to comment or ask further questions here.