LRD guides and handbook March 2018

The General Data Protection Regulation - a practical guide for trade unionists

Chapter 1

Data protection officer

[ch 1: pages 11-12]

In some cases, the data controller and processor have a duty to appoint a data protection officer, who will be involved in all aspects of data protection. These are where:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

• the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of people on a large scale; or

• the controller’s or processor’s core activities are the large-scale processing of special categories of data or personal data relating to criminal convictions and offences.

A group of companies can appoint a single data protection officer, provided he or she is accessible to each of them. A single data protection officer can cover several authorities or bodies.

The data protection officer must be designated on the basis of professional qualities and expert knowledge of data protection law. He or she may be a member of the controller’s or processor’s staff, or carry out the tasks under a service contract.

The controller or processor must publish the contact details of the data protection officer and give them to the ICO.