Does your company need to appoint a data protection officer?


If your business is involved with processing of personal data, you must assess whether your company is obliged to appoint a data protection officer by checking compliance with data protection regulations.

When appointing a specialist, the suitability of the person shall be verified and the public and the Data Protection Inspectorate shall be informed of the appointment of a specialist.

In which case does the company have to appoint a data protection specialist?

Every company deals with the processing of personal data, but every company does not need to appoint a data protection specialist.

An enterprise must appoint a data protection specialist if its core business involves personal data

  • extensive,
  • regular and
  • systematic processing.

Processing of personal data of the company’s own employees is not considered a core activity.

The core activity is the key activity, without which the company cannot meet its daily goals. The processing of personal data relating to the appointment of a specialist must be an integral part of such activity.

For example, according to the Data Protection Inspectorate’s Personal Data Processor’s Guide, without the processing of personal data, it is not possible to provide: a) healthcare services, b) financial services, c) communication services, d) insurance services.

In addition, the Data Protection Officer must appoint (i) public sector bodies or bodies and (ii) processors processing specific types of personal data or criminal records and convictions if they are not covered by our post.

What is extensive computing?

The extent of data processing can be defined on the basis of very different indicators. For example, the European Data Protection Council has recommended to consider:

  • the number or percentage of persons involved in data processing in the population concerned
  • the amount of personal data processed and / or the number of different data records
  • the duration or continuity of the processing of personal data
  • geographical scope of the processing of personal data.

The Data Protection Inspectorate relies primarily on how many persons’ data is involved in monitoring and considers extensive data processing:

  • special type or offense data for 5000 and more people
  • high risk data for 10,000 and more people, examples of which are high:
    • the risk of identity theft or fraud (especially for digital trust service and comparable identity management service)
    • risk to property (especially through bank and credit card service)
    • danger of violation of message secrecy (especially for communication service)
    • real-time tracking of a person’s location (especially for communications)
    • getting the economic status of a person public (especially through tax data, bank data, and credit rating data – but this does not include the use of public data)
    • the risk of legal consequences or discrimination of similar effect (including recruitment services and assessment services affecting salary and career prospects)
    • remaining personal data for 50,000 and more.

What is regular and systematic data processing?

Regular computing. The Personal Data Processor’s Guide explains that the term ‘regular’ extends to data processing that is carried out continuously or at certain intervals and is not random.

Systematic computing. According to the manual, planned and methodical data processing is considered to be systematic data processing.

The Personal Data Processor’s Guide sets out two examples for deciding on the appointment of a data protection specialist.

Example of a Data Protection Officer 1

Small shops order data analysis from a large IT company to identify customer purchase preferences and personalize advertising.

The number of loyal customers in the stores themselves is small, but the data analysis of the IT company providing the service covers a total of over 50,000 people.

Thus, in this example, the responsible processors (shops) do not have to appoint a specialist themselves, but they must be done by their authorized processor (IT company).

Example of a Data Protection Officer 2

The store keeps a record of loyal customers to comply with accounting requirements (billing and storage), but does not make an analysis of customer purchase preferences.

In this case, there is no obligation to appoint a data protection specialist, as customers are not monitored.

Who can be a business data protection specialist?

The role of a Data Protection Officer can be:

  • a data-processing officer (eg a separate post),
  • a data processor subdivision (eg department) or
  • a legal person outside the data processor (eg under a service contract).

However, if the DPO’s functions are performed by the data processor’s sub-unit or by another legal entity, the contact with the public and the supervisory authority should, however, be one specific individual with personal contact details.

How to choose a data protection specialist?

If a company has a duty to appoint a data protection specialist, it should consider the workload of the data protection specialist, depending on the specificities of the company.

It can then be decided whether the post can be filled by an existing employee who is provided with the necessary in-service training, or by recruiting a new specialist.

An alternative is the outsourcing of a data protection specialist service by a professional service provider.

What are Data Protection Officer Tasks?

The main tasks of the Data Protection Officer General Regulation / Directive are:

  • to be a contact point for data subjects on all matters relating to the processing of their personal data and the exercise of their data protection rights
  • to inform and advise the management of their organization (including its partners if necessary) and the staff in data protection
  • monitor the implementation of data protection standards, including the allocation of responsibilities, staff awareness and training, and data protection audit
  • to advise on and monitor the functioning of the data protection impact assessment
  • to cooperate with the Data Protection Inspectorate as a contact person for the employer.

The aforementioned tasks do not interfere with assigning other tasks to the specialist – if this does not hinder the performance of the main tasks.

What do you need to know about a data protection specialist?

The Data Protection Inspectorate has compiled a list of recommended competences, which is a prerequisite for the proper implementation of the role of the Data Protection Officer.

The company’s data protection specialist must know:

  • company values ​​and goals, including vision, mission, and strategy
  • company internal and business processes
  • rules and policies of the organization of the company
  • EU and national data protection law necessary for the operation of the company
  • legislation that may regulate the scope of the organization more narrowly
  • relevant technologies and developments in the field of ICT and information security and their potential effects on organizational processes
  • principles and methods of data analysis and profiling, including aliasing and anonymisation
  • risk assessment and risk management frameworks and methods
  • the framework and methods for conducting a data protection impact assessment
  • relevant sources of information (EU and national legislation, EU and national case law, opinions and guidelines of EU and national data protection authorities)
  • national and, where appropriate, other EU data protection supervisory authorities and contacts with them

A company data protection specialist must:

  • value your work and its importance
  • communicate and perform confidently and effortlessly
  • to involve the company’s management and employees
  • to provide written material in a structured and logical manner and linguistically correct
  • clarify data protection responsibilities and responsibilities for business people
  • compile and implement a corporate data protection strategy
  • to prepare the data protection guidelines necessary for the organization of the company
  • prepare a data protection impact assessment, including identifying the company’s data protection risks and preparing action plans to mitigate risks
  • implement the “default” and “integrated” data protection principles
  • manage and coordinate company data protection processes (project management)
  • identify and document personal data processing operations and personal data breaches
  • to distinguish between personal data breaches for which the data protection supervisory authority and the natural persons subject to the infringement must be notified.

How and who should be informed of the appointment of a data protection specialist?

The Data Protection Inspectorate must be notified of the appointment of a specialist and a convenient opportunity has been created for this purpose through the Enterprise Portal (ettevõtjaportaal). If you have appointed a Data Protection Officer through the Enterprise Portal, you do not need to inform the Inspectorate separately in writing.

Through the portal, the information becomes visible to the public and thus you have also fulfilled the obligation to inform the public.

A person with the right of representation may be notified of the appointment of a data protection specialist through the company portal. Presentation requires the first name, surname and personal identification code / date of birth of the data protection specialist.

See also the Guidance on the Data Protection Inspectorate – How do I submit data protection specialist data in the Enterprise Portal?

What is Personal Information?

Personal information is any information about an identified or identifiable natural person.

An identifiable natural person is a person who can be identified, directly or indirectly, in particular by an identifier such as name, personal identification code, location information, network identifier or one or more physical, physiological, genetic, mental, economic, cultural or social characteristics of that individual.

Thus, all data that is even indirectly attributable to a specific natural person are treated as personal data.

How to find information on data protection regulation?

The area of ​​protection of personal data in the European Union is regulated by Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter “GDPR” or “Regulation”).

It is a straightforward regulation that applies in the same way in all Member States without the need to adopt national legislation. National legislation only regulates issues that are not covered by the Regulation or for which the Regulation leaves the Member States the right to specify.

The GDPR has a so far unknown concept in the Estonian legal system, the Data Protection Officer. In Estonian legislation, the term data protection specialist is used instead of a data protection officer.


As part of the Data Protection Officer Regulation, each business should consider the following issues:

  • to assess whether a company should appoint a data protection specialist
  • if a data protection specialist needs to be appointed, select the appropriate employee and provide the employee with appropriate training if necessary
  • to clarify and fix the tasks of a data protection specialist within a particular company

If necessary, Magilex can help you implement these steps. We offer both data protection advice and a data protection specialist service.