Implementing Regulation of PDPL Article 32 says Controllers must appoint a Data Protection Officer (DPO) in certain high-risk processing scenarios. The DPO oversees PDPL compliance, manages internal processes, handles breach notifications, and serves as the liaison with the Competent Authority. This officer may be internal or external, and their role includes monitoring, enabling rights, and driving accountability.
Appoint a DPO when your processing is large-scale, sensitive, or involves public entities. The DPO ensures legal compliance and is the main point of contact for regulators and data subjects.
When collecting or Processing Personal Data for scientific, research, or statistical purposes without Data Subject’s consent, the Controller shall commit to the following:
Implementing Regulation of PDPL Article 32 (1)
DPO Appointment Triggers
The Controller shall appoint one or more individuals to be responsible for the protection of Personal Data in any of the following cases:
a) Controller is a Public Entity that provides services involving Processing of Personal Data on a large scale.
b) Primary activities of the Controller consist of Processing operations that require regular and continuous monitoring of individuals on a large scale.
c) Core activities of the Controller consist of Processing sensitive Personal Data.
Implementing Regulation of PDPL Article 32 (2)
Who Can Qualify
Subject to the requirements of paragraph (1) of this Article, the data protection officer may be an official, an employee or an external contractor of the Controller.
Implementing Regulation of PDPL Article 32 (3)
DPO Responsibilities
The Personal Data Protection Officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to Personal Data in accordance with the provisions of the Law and its Regulations. Specifically, their responsibilities include:
a) Acting as the direct point of contact with the Competent Authority and implementing its decisions and instructions regarding the application of the provisions of the Law and its Regulations.
b) Supervising the impact assessment procedures, audit reports, and evaluations related to Personal Data protection controls, documenting the assessment results, and issuing necessary recommendations accordingly.
c) Enabling the Data Subject to exercise their rights as stipulated in the Law.
d) Notifying the Competent Authority of Personal Data Breach incidents.
e) Responding to requests from Data Subjects and addressing complaints filed by them in accordance with the provisions of the Law and its Regulations
f) Monitoring and updating the records of Personal Data Processing activities of the Controller.
g) Handling the Controller’s violations related to Personal Data and taking corrective actions accordingly.
Implementing Regulation of PDPL Article 32 (4)
SDAIA Guidelines
The Competent Authority shall issue rules for the appointment of the data protection officer, which shall include the circumstances under which a data protection officer shall be appointed.
Explanation of Implementing Regulation of PDPL Article 32
When you must appoint:
Implementing Regulation of PDPL Article 32 (1) says, a DPO is mandatory if you’re a public entity processing data at scale, continuously monitor individuals, or process sensitive data as a core activity.
Internal or external:
Implementing Regulation of PDPL Article 32 (2) says, the DPO can be an employee, officer, or external contractor, as long as they fulfill their compliance obligations.
What DPO must do:
Implementing Regulation of PDPL Article 32 (3) says, DPOs oversee PDPL compliance, manage assessments, act as contact for the Authority, support data subjects, notify breaches, maintain records, and address violations.
Rules to follow:
Implementing Regulation of PDPL Article 32 (4) says, SDAIA (the Competent Authority) will issue detailed rules regarding appointment conditions and circumstances that require a DPO.
