Designation of the data privacy officer

67.(1) The data controller and the data processor shall designate a data privacy officer in any case where:

(a) the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their judicial capacity;

(b) the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

(2) A group of undertakings may appoint a single data privacy officer provided that a data privacy officer is easily accessible from each establishment.

(3) Where a data controller or the data processor is a public authority or body, a single data privacy officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

(4) In cases other than those referred to in subsection (1), the data controller or data processor or associations and other bodies representing categories of data controllers or data processors may designate a data privacy officer.

(5) The data privacy officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the duties and functions referred to in section 69.

(6) The data privacy officer may be a staff member of the data controller or data processor, or fulfil the tasks on the basis of a service contract.

(7) The data controller or the data processor shall communicate the contact details of the data privacy officer to the Commissioner.