Register Your DPO
Mandatory Designation:
Article 37 of the GDPR imposes an obligation on a data controller and a data processor to designate a data protection officer where:
1. the processing is carried out by a public authority or body, except for court acting in their judicial capacity;
2. the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
If your activities fall within the parameters of one of the criteria listed above, you must appoint a DPO, publish his or her details and communicate such details to this Office on idpc.info@idpc.org.mt.
Prior Assessment:
Organisations should carry out an assessment prior to the designation to ensure that the DPO does not fulfil other tasks and duties which may result in a conflict of interest.
The designated officer cannot hold a position within the organisation that leads them to determine the purposes and the means of the processing of personal data.
For further information, you are kindly guided to the EDPB Guidelines on Data Protection Officers available at this link.
Necessary Details:
The necessary details regarding the designation to be communicated to the IDPC are the following:
Data Controller, Name of DPO, Mailing Address, Email Address,
Contact Number, Nature of Business, and Date of Appointment.​
Important:
Please note that the Commissioner does neither approve nor endorse any DPO’s designation, thus this Office will only register the contact details as provided by yourself for the purpose of Article 37(7) of the GDPR. This registration is without prejudice to the Commissioner’s powers to investigate any infringements of the Data Protection Legislation.