Article 158 PDPA
Information security administrator as data protection officer

1. The person serving as information security administrator on May 24, 2018, as referred to in the law repealed by Article 175, shall become a data protection officer and shall serve until September 1, 2018, unless the administrator notifies the President of the Office of the appointment of another person as data protection officer before that date, in the manner specified in Article 10(1).

2. A person who has become a data protection officer pursuant to paragraph 1 shall continue to perform his/her function even after September 1, 2018, if by that date the controller notifies the President of the Office of his/her appointment in the manner specified in Article 10(1).

3. The person referred to in paragraph 1 may be dismissed by the controller without notifying the President of the Office of the appointment of another person as data protection officer, in case the controller is not obliged to appoint a data protection officer.

4. A controller who has not appointed an information security administrator referred to in the law repealed in Article 175 before the date of entry into force of this Law shall be obliged to appoint a data protection officer pursuant to Article 37 of Regulation 2016/679 and notify the President of the Office of his appointment by July 31, 2018.

5. A processor that is obliged to appoint a data protection officer pursuant to Article 37 of Regulation 2016/679 shall appoint a data protection officer and notify the President of the Office of the appointment, in the manner specified in Article 10(1), by July 31, 2018.