The Personal Data Protection Law requires that all controllers identify a personal data protection officer and that the information of this officer is communicated to data subjects prior to processing any of their data. The specific details required for the implementation of this obligation have now been clarified in the Executive Regulation of the Personal Data Protection Law. This blog post will highlight the key elements of this obligation.
First of all, the executive regulation did not provide any exemptions for the requirement to identify a personal data protection officer. This means that all organisations, irrespective of size, industry, the type of data they process, the amount of data they process, or the number of data subjects they interact with, are required to identify a personal data protection officer as long as the law applies to them.
The executive regulation used the same language used by the law, which is the requirement to “identify” a personal data protection officer, and not “appoint”, which we understand to mean that the position of the “personal data protection officer” does not have to be a standalone full-time job, but it can be a role assigned to an existing employee who might or might not be carrying out similar functions (for example, compliance in general) as long as the employee meets the requirements stipulated by executive regulation.
Article 34 of the executive regulation stipulates the requirements for the personal data protection officer, which are that he is qualified to carry out the tasks stipulated in the regulation, that he is familiar with the law and the personal data protection practices of the controller, and that he is of professional competence. There are no requirements for any specific certification or academic or professional past experience.
The actual duties of the personal data protection officer are stipulated in article 35 of the executive regulation, which can be summarised as being responsible for giving advice to the controller, monitoring the implementation of data protection policies, monitoring the implementation of the law and the regulation, and coordinating with the Ministry of Transport, Communications, and Information Technology in matters relating to the processing of personal data.
The controller is required to publish the name and contact details of the personal data protection officer to enable data subjects to contact him.
You can read the Personal Data Protection Law as well as its newly issued executive regulations in full in English on the links below: