The National Cyber Security Authority Office ('NCSA') published, on 21 February 2022, guidance on why institutions need a data protection officer ('DPO'). In particular, the NCSA noted that Article 40 of the Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy ('the Data Protection Law') indicates the need to designate a DPO for any processing of personal data. In addition, the NCSA emphasised that whether an institution acts as a data controller, data processor, or both of these roles, the Data Protection Law makes it mandatory to ensure the DPO role is filled, if the institution is processing personal data. Furthermore, the NCSA emphasised that those who do not comply with the mandatory appointment of a DPO in situations where personal data is being processed, commit an offence pursuant to Article 53 of the Data Protection Law. Moreover, the NCSA stated that the duties of the DPO outline the importance of having this role filled for every institution that processes personal data, as the DPO provides expertise and knowledge, ensures appropriate compliance with the Data Protection Law, and acts as the registered contact person for the supervisory authority. Hence, the NCSA stated that it is critical that this provision is observed in order to ensure effective compliance with the Data Protection Law. Moreover, the NCSA stated that adding this provision on appointing a DPO ensures that the Data Protection Law aligns with global standards of data protection frameworks.

You can read the guidance here.