Jan Dop

partner

Jan is a specialist in employment law and corporate law

jan.dop@russell.nl
+31 20 301 55 55

Reinier Russell

managing partner

Reinier advises national and international companies

reinier.russell@russell.nl
+31 20 301 55 55

Privacy: Data protection officer

Publication date 25 August 2022

With the European General Data Protection Regulation (GDPR), the appointment of a data protection officer has become mandatory for certain businesses and organizations. What are the duties of this officer and what kind of businesses are required to appoint such an officer?

persoonsgegevens - ubo

What kind of businesses are required to appoint a data protection officer?

According to the European General Data Protection Regulation (GDPR), businesses and organizations must appoint a data protection officer if:

  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

If your business has appointed a data protection officer in the Netherlands, you have to provide the contact data to the Personal Data Authority.

Data protection officer

The data protection officer – also referred to as privacy officer – is an independent person who monitors the general quality of the data protection policy of an organization. Therefore, while performing his tasks, he cannot receive instructions from you as the employer or client. In addition, a data protection officer may not be dismissed or fined due to his or her work. However, the officer may also carry out other work, provided that this does not create a conflict of interest.

The data protection officer will control whether the processing of data in your company is in accordance with the General Data Protection Regulation. Therefore, the controller and processor must involve the officer in a timely manner in any processing of personal data. If the data protection officer detects irregularities, he must report them to the person in charge or to the company he was appointed by.

In addition, the data protection officer is allowed to make recommendations. However, these recommendations have an advisory function only. Ultimately, it’s up to the person in charge whether to follow the advice of the data protection officer or not.

Appointing a data protection officer means you will have a “watchdog” within your company. You will also have an in-house expert who can quickly provide insight on the right way of data processing. To ensure that this expertise will be maintained, the employer is required to provide the necessary means, including training. The national data protection agency will act reluctantly if the data protection officer performs his duties properly.

Action

  • Check whether you are required to appoint a data protection officer.
  • Get a check on whether the tasks and competences of the data protection officer comply with the GDPR.

More information

More information on the European privacy rules can be found in other newsletters in this series:

Privacy and GDPR lawyer

Would you like to know more about the application of the General Data Protection Regulation, or do you have any other questions on how to organize your company in the context of the data protection regulation? Please contact us:

    We process the personal data above with your permission. You can withdraw your permission at any time. For more information please see our Privacy Statement.

    Related publications

    How do you terminate a continuing performance agreement?

    In principle, a continuing performance agreement can always be terminated, even if no arrangements have been made in this regard. But you can’t just do it. What do you need to take into account when terminating the agreement? And what if you want to deviate from the agreements made about terminating the agreement?

    Read more

    28 June 2025 European Accessibility Act: digital products and services must be accessible to all

    On 28 June 2025, the European Accessibility Act will come into force. From that data, digital products and services must also be accessible to people with disabilities. Which companies, products and services does the Act apply to? What disabilities should you take into account? What are the consequences of not complying with the Act?

    Read more

    Using general terms and conditions

    The use of general terms and conditions is something companies can no longer do without. Contracting parties refer to their own general terms and conditions in small print, often containing favorable clauses for their own benefit. But what is the power of general terms and conditions? And what should be considered when using them?

    Read more

    25 September 2024: Cybersecurity and Data Protection in Litigation

    Wednesday 25 September 2024, Reinier Russell will discuss cybersecurity and data protection in litigation at the European meeting of the World Litigation Forum in Barcelona.

    Read more

    1 January 2024: Model agreement on unrestricted substitution to disappear

    An important way to prevent an assignment contract from turning out to be an employment contract after all is to use and correctly implement the model agreements on the website of the Dutch Tax and Customs Administration. However, from 1 January 2024, all models that partially or completely assume the possibility of substitution will expire. What does this mean for principals and contractors?

    Read more

    What does the Homologation Act (WHOA) mean for creditors?

    The WHOA makes it easier for a company facing bankruptcy to avoid bankruptcy. This can be done through a binding agreement with all creditors, even if they do not all agree to the arrangement. What rights do creditors have in WHOA proceedings?

    Read more