Privacy officer responsibilities under Law 25

Law 25 requires you to designate a person responsible for the protection of personal information: the privacy officer. In an SMB, this is often the owner or a manager who carries the role part time. The trap? Having a name on the policy, but an email inbox nobody reads.

Designation and publication requirement

You must officially designate a privacy officer and make their contact details accessible: on your website, in your privacy policy, and, where applicable, in your communications with individuals.

Key point: a generic, unmonitored email address ("info@") is a weakness if nobody handles access, rectification, or consent withdrawal requests within the required deadlines.

Key tasks of the privacy officer

Avoid a "paper-only" role

  1. Written mandate: scope, escalation authority, time allocated (even half a day per month counts).
  2. Quarterly review: vendors, incidents, website updates.
  3. Written records: emails, registers, committee decisions to demonstrate reasonable diligence.
  4. Clear delegation: execution can be delegated; ultimate accountability stays at the leadership level.

However, delegating without a mandate or budget recreates the ghost role. Give the privacy officer real leverage: access to contracts, incidents, and digital projects.

In practice: the privacy officer does not have to be a full-time IT expert or lawyer. They are the accountable point of contact who connects the law, operations, and the public website.

In brief

Useful references

This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Privacy officer contact details must be findable on the public site, with an up-to-date policy. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.