Article 25. Designation of the Data Protection Officer – Law no. 133/2011 on personal data protection
1) The controller and the processor shall designate a data protection officer whenever:
a) the processing is carried out by a public authority or institution, with the exception of courts acting in the exercise of their judicial function;
b) the main activities of the controller or the processor shall consist of processing procedures which, by their nature, scope and / or purposes, require regular and systematic monitoring of large-scale data subjects;
c) the main activities of the controller or the processor consist in the large-scale processing of special categories of data.
(2) A group of undertakings may designate a single data protection officer, provided that such person is easily accessible to each undertaking.
(3) If the controller or the processor is a public authority or public institution, a single data protection officer may be designated for several of these authorities or institutions, taking into account their organizational structure and size.
(4) The data protection officer is designated on the basis of professional qualities and, in particular, of the specialized knowledge regarding the regulations and practices in the field of data protection, as well as on the basis of the capacity to fulfill the tasks provided in art. 252.
(5) The data protection officer may work for the controller or the processor or may perform his duties under a service contract.
(6) The controller or the processor shall publish the contact details of the data protection officer and shall communicate them to the Center.
(7) In other cases than those mentioned in par. (1), the controller or the processor, as well as the associations and other institutions representing categories of the controller or the processor may designate or, where the legislation provides, obligatorily designate a data protection officer. The data protection officer may act in favor of such associations and other institutions representing the controller or the processor.
[Art.25 in wording of LP175 of 11.11.21, MO302-306/10.12.21 art.431; in force 10.01.22]
Article 251. Function of the Data Protection Officer – Law no. 133/2011 on personal data protection
(1) The controller and the processor shall ensure that the data protection officer is properly and timely involved in all matters relating to the protection of personal data.
(2) The controller and the processor provide support to the data protection officer in performing the tasks indicated in art. 252, providing him with the necessary resources for the execution of the respective tasks, for the maintenance of his specialized knowledge, as well as the access to the personal data and to the processing operations.
(3) The controller and the processor ensure that the data protection officer does not receive instructions on how to perform the tasks. It may not be dismissed or sanctioned by the controller or the processor to perform his duties. The data protection officer is directly responsible to the highest level of management of the controller or processor.
(4) Data subjects may contact the data protection officer on matters relating to the processing of their data and the exercise of their rights under this law.
(5) The data protection officer has the obligation to respect the secrecy or confidentiality regarding the performance of tasks, in accordance with the normative acts.
(6) The data protection officer may also perform other tasks and duties. The controller or processor shall ensure that none of these tasks and responsibilities give rise to a conflict of interest.
[Art.251 introduced by LP175 of 11.11.21, MO302-306/10.12.21 art.431; in force 10.01.22]
Article 252. Tasks of the data protection officer – Law no. 133/2011 on personal data protection
(1) The data protection officer shall have at least the following tasks:
a) informing and advising the controller or processor, as well as the employees in charge of data processing regarding the obligations incumbent on them under this law and other normative acts;
b) monitoring compliance with this law and other normative acts related to data protection and the policies of the controller or processor regarding the protection of personal data, as well as the assignment of responsibilities, including on awareness-raising and staff training actions involved in processing operations and related audits;
c) providing on-demand advice on assessing the impact on data protection and monitoring its operation;
d) cooperation with the Center;
e) taking on the role of contact point for the Center on data processing issues, including prior consultation and, where appropriate, consultation on other matters.
(2) In carrying out their duties, the data protection officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
[Art.252 introduced by LP175 of 11.11.21, MO302-306/10.12.21 art.431; in force 10.01.22]