20. Appointment of data protection officers

20.—

1. A data controller falling within subsection (6) shall appoint an appropriately qualified person to act as the data protection officer responsible in particular for monitoring in an independent manner the data controller’s compliance with the provisions of this Act.

2. A person shall not be qualified to be appointed under subsection (1) if there is or is likely to be any conflict of interest between the person’s duties as data protection officer and any other duties of that person.

3. The functions of a data protection officer shall include—

(a) ensuring that the data controller processes personal data in compliance with the data protection standards and in compliance with this Act and good practice;

(b) consulting with the Commissioner to resolve any doubt about how the provisions of this Act and any regulations made under this Act are to be applied;

(c) ensuring that any contravention of the data protection standards or any provisions of this Act by the data controller is dealt with in accordance with subsection (5); and

(d) assisting data subjects in the exercise of their rights under this Act, in relation to the data controller concerned.

4. A data controller shall notify the Commissioner as to the name, address and other relevant contact information of the data protection officer appointed by the data controller under this section, and in the event of any changes thereto.

5. Where the data protection officer has reason to believe that the data controller has contravened a data protection standard or any of the provisions of this Act, the data protection officer shall—

(a) forthwith in writing notify the data controller of the contravention; and

(b) if the data protection officer is not satisfied that the data controller has rectified the contravention within a reasonable time after the notification, report the contravention to the Commissioner.

6. A data controller falls within this subsection if the data controller—

(a) is a public authority;

(b) processes or intends to process sensitive personal data or data relating to criminal convictions;

(c) processes personal data on a large scale; or

(d) falls within a class prescribed by the Commissioner by notice published in the Gazette as being a class of data controllers to whom subsection (1) applies,

but a data controller who processes personal data only for the purpose of a public register or which is a non-profit organisation established for political, philosophical, religious or trade union purposes, does not fall within this subsection.