The data controller and the data processor designate a data protection officer where:

1. the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
2. the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
3. the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data pursuant to Article 10 of this Law and personal data relating to criminal convictions referred to in Article 12 of this Law.

A group of undertakings may appoint a single personal data protection officer provided that the data protection officer is easily accessible from each establishment

Where the data controller or the data processor is a public authority or body, a single personal data protection officer may be designated for several such authorities or bodies, taking account of their organizational structure and size.

In cases other than those referred to in Paragraph one of this Article, the data controller or the data processor or associations and other bodies representing categories of data controllers or data processors may designate a personal data protection officer in accordance with the provisions of this Law.

The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her.

The personal data protection officer may be a permanent staff member of the data controller or the data processor, or a person who fulfils the tasks on the basis of a service contract.

The data controller or the data processor must publish the contact details of the personal data protection officer and communicate them to the supervisory authority.