ENTIRELY REMOVING THE PREVIOUS NOTIFICATION SYSTEM, THE NEW REGULATION FORCES THE APPOINTMENT, IN SOME CIRCUMSTANCES, OF A PERSONAL DATA OFFICER, SO AS TO ENSURE THE ENFORCEMENT OF THE LAW.

Therefore, the appointment will be compulsory in the following 3 situations:
  1. when the processing is conducted by a public authority or body, excepting the courts of law acting in the exercise of their jurisdictional function;
  2. when the main activities of the operator or the person empowered by him consist in a large scale processing of special data categories which require a periodic and systematic monitoring of the people concerned;
  3. when the main activities of the operator or the person empowered by the operator consist in a large scale processing of special categories of data or some other private data categories regarding criminal convictions and offences.
In order to appoint a data protection officer, the economic operator will have to make a choice: either appoint someone from within the company, or employ an individual or a legal person in terms with a services contract. However, in both cases, the data protection officer must possess a relevant expertise regarding the legal provisions and the practice of this particular field. The contact data of the officer shall be published and notified to the surveillance authority.
Entities not complying with this obligation may be fined with up to 10 million EUR, or 2% of the total turnover obtained in the previous financial year.

Issuer of the GDPR: the European Parliament