Visit fondia.com
The content concerns Finnish legislation.
 

Designation of the data protection officer

The organization must designate a data protection officer in case where:

  • the organization is a public authority or body, except for courts

  • the core activities of the organization consist of processing personal data which, by virtue of their nature, scope and/or purposes, requires regular and systematic monitoring of data subjects on a large scale; or

  • the core activities of the organization consist of a large-scale processing of personal data relating to special categories of personal data or data relating to criminal convictions or offences

The Data Protection Officer, among other things, monitors the implementation of data protection in the organization, advises employees who process personal data, and cooperates with the supervisory authority.

There are no qualification or educational requirements for a data protection officer, but he or she must have sufficient knowledge and experience in applying data protection law. The person appointed as data protection officer must be able to perform his or her tasks independently and therefore cannot be appointed as data protection officer if his or her duties within the organization involves determining the purposes and means of the processing of personal data. Such tasks may, for example, fall within the duties of a chief information security officer or senior management.