Rules for Appointing Personal Data Protection Officer Article 9 outlines the general obligations and governance principles surrounding the appointment of a Data Protection Officer (DPO). It emphasizes that appointment must be periodically reviewed, supported by adequate resources, and free from conflicts of interest. Even when not mandatory, Controllers are encouraged to voluntarily appoint a DPO. Additionally, it introduces accountability when engaging Processors, promotes professional development for DPOs, and mandates appropriate organizational alignment.
Controllers must review, support, and govern DPO appointments with integrity and foresight.
Rules for Appointing Personal Data Protection Officer Article 9 (1)
Periodic Review
Controllers shall periodically review DPO appointment cases to determine whether such cases are still required or likely to become mandatory according to provisions hereof.
Rules for Appointing Personal Data Protection Officer Article 9 (2)
Voluntary Appointment
The Controller may appoint a DPO on a voluntary basis, even if not obligated to do so, to assist in complying with the provisions of the Law and its Implementing Regulations.
Rules for Appointing Personal Data Protection Officer Article 9 (3)
Processors’ Obligation
When concluding an agreement between the Controller and the Processor for processing personal data on behalf of the Controller, the Controller shall verify whether the Processor has a DPO. If the appointment of a DPO is required under these rules, the Controller should request the appointment to ensure that the necessary guarantees for implementing the provisions of the Law and Implementing Regulations are in place.
Rules for Appointing Personal Data Protection Officer Article 9 (4)
Support & Enablement
The Controller must enable and support the DPO in performing their duties and responsibilities by providing all necessary resources.
Rules for Appointing Personal Data Protection Officer Article 9 (5)
Conflict-Free Duties
When appointing DPO, Controller shall not assign tasks that may conflict with DPO tasks or affect DPO’s independence.
Rules for Appointing Personal Data Protection Officer Article 9 (6)
Training & Development
The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.
Rules for Appointing Personal Data Protection Officer Article 9 (7)
Organizational Reporting
The DPO shall be organizationally linked to the Data Management Office within the Controller. If the Controller is not obligated to establish a Data Management Office, the DPO should be linked to another department, in accordance with paragraphs (4) and (5) of this article.
Explanation of Rules for Appointing Personal Data Protection Officer Article 9
Assess if DPO appointment is still required:
Rules for Appointing Personal Data Protection Officer Article 9 (1) says that controllers must regularly review if they are required—or are likely to be required—to appoint a DPO based on evolving processing activities.
Optional but encouraged:
Rules for Appointing Personal Data Protection Officer Article 9 (2) says that even if not required, Controllers are allowed to appoint a DPO voluntarily to help strengthen compliance.
Verify subcontractor DPOs:
Rules for Appointing Personal Data Protection Officer Article 9 (3) says that when outsourcing processing, Controllers must check if the Processor needs a DPO and request one if necessary.
Provide resources and authority:
Rules for Appointing Personal Data Protection Officer Article 9 (4) says that controllers must empower the DPO with sufficient resources, tools, and authority to perform their role effectively.
Maintain independence:
Rules for Appointing Personal Data Protection Officer Article 9 (5) says that the Controller must not assign the DPO conflicting roles that might compromise objectivity or interfere with their DPO responsibilities.
Enhance DPO’s skills
Rules for Appointing Personal Data Protection Officer Article 9 (6) says that Controllers should support DPOs in obtaining professional certifications and keep them updated on data protection knowledge.
Link to DMO or similar structure:
Rules for Appointing Personal Data Protection Officer Article 9 (7) says that the DPO should report to the Data Management Office (DMO). If no DMO exists, the DPO must report to a designated alternative structure per this article.
