What is IOD?
Inspector of Personal Data (IOD) is a person or company designated to oversee compliance with data protection regulations within an organization. The obligation to appoint one arises from the General Regulation on Personal Data Protection (RODO), ie EU 2016/679.
When does an online store not have to appoint an IOD?
A small online store does not have to appoint an IOD if:
* It does not process data on a large scale, for example, it has tens or hundreds of customers per month.
* It does not process sensitive data (eg health, religion, sexual orientation).
* It does not regularly monitor individuals (for example, through geolocation, behavior analysis, credit scoring, etc.).
* It does not serve children’s data – for example, a toy store does not require providing children’s data.
For most typical small online stores (e.g. clothing, cosmetics, gadgets) implementing the RODO policy and security measures is sufficient, but an IOD need not be appointed.
When is IOD obligatory?
The appointment of an IOD is obligatory in the following cases:
* You are a public entity – does not apply to shops.
* Your main activity involves regular and systematic monitoring of individuals on a large scale (for example, advanced tracking, profiling, scoring).
* You process data from a specific category on a large scale (eg health data, biometric data, e.g. online medical or dietary services).
What instead of IOD?
Instead of appointing an IOD, a small online store should:
* Have a privacy policy in line with RODO.
* Obtain consent for data processing if required (e.g. newsletter).
* Ensure data security – passwords, SSL, access to data only for authorized persons.
* Provide contact details for the person responsible for RODO (e.g. shop owner).
Summary
Question Answer
Is a small online store required to have an IOD? ❌ Usually not
When must it be appointed? ✅ Only in specific and rare cases
What should it have instead? ✅ Privacy policy, security measures, procedures in line with RODO
