Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (c. 680)

CHAPTER IV U.K. Controller and processor

Section 3 U.K. Data protection officer

Article 32U.K.Designation of the data protection officer

1.Member States shall provide for the controller to designate a data protection officer. Member States may exempt courts and other independent judicial authorities when acting in their judicial capacity from that obligation.

2.The data protection officer shall be designated on the basis of his or her professional qualities and, in particular, his or her expert knowledge of data protection law and practice and ability to fulfil the tasks referred to in Article 34.

3.A single data protection officer may be designated for several competent authorities, taking account of their organisational structure and size.

4.Member States shall provide for the controller to publish the contact details of the data protection officer and communicate them to the supervisory authority.

Article 33U.K.Position of the data protection officer

1.Member States shall provide for the controller to ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

2.The controller shall support the data protection officer in performing the tasks referred to in Article 34 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

Article 34U.K.Tasks of the data protection officer

Member States shall provide for the controller to entrust the data protection officer at least with the following tasks:

(a)

to inform and advise the controller and the employees who carry out processing of their obligations pursuant to this Directive and to other Union or Member State data protection provisions;

(b)

to monitor compliance with this Directive, with other Union or Member State data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(c)

to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 27;

(d)

to cooperate with the supervisory authority;

(e)

to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 28, and to consult, where appropriate, with regard to any other matter.