Data Protection Officer Flashcards
(15 cards)
Data Protection Officer (DPO)
The person appointed by the controller for the tasks referred to in Art. 39 GDPR: in short, to oversee compliance with data protection law of processing activities carried out by the controller/processor
- A cornerstone of accountability
Until its introduction in the GDPR,
- it was widely unknown in most EU Member States.
- model is German Data Protection Law (Datenschutzbeauftragter)
The DPO: Minimum set of tasks
Art. 39 GDPR
- Advising the controller/processor/their employees
- Monitoring compliance with the GDPR/other Union and national data protection provision
- Assisting the controller in carrying out the Data Protection Impact Assessment (DPIA) (risk-based approach) and monitoring ist performance
- Cooperating with the Supervisory Authority and acting as a contact point between the controller and the Supervisory Authorities
- Acting as a contact point for Data Subjects
The DPO: Additional tasks
Art. 38 (6) GDPR
The Data Protection Officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
An evaluation on a case-by-case basis is needed especially if the DPO is an individual within the organizational structure of the controller or processor
(In general, a senior manager, the heads of the IT, marketing and HR Departments, and everyone who is involved in the determination of purposes and means of processing should not be appointed as a DPO).
The DPO
Professionality
Art. 37 (5):
The data protection officer shall be designated on the basis of:
- professional qualities
- expert knowledge of data protection law and practices
- the ability to fulfil the tasks
Article 38 (2):
The controller and processor shall support the data protection officer in performing the tasks by
- providing resources necessary to carry out those tasks
- providing access to personal data and processing operations
- maintain his or her expert knowledge”.
The DPO:
When is mandatory
Art. 37(1):
In three cases:
- the processing is carried out by a public authority or body (irrespective of what data they process), except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;
- the core activities of the controller or the processor consist of processing on a large scale of
a) special categories of data pursuant to Article 9
b) personal data relating to criminal convictions and offences referred to in Article 10.
The relevant legal concepts
a) “public authority or body”;
b) “core activities”
c) “large scale”
d) “regular and systematic monitoring”
RISK-BASED APPROACH: connection with the nature of the data processing activity and not to the quantitative characteristics of the controller/processor itself!
The DPO:
When is mandatory
On Large Scale
Recital 91:
Large-scale processing operations which aim to process
a) considerable amount of personal data at:
- regional,
- national or
- supranational level and
b) could affect a large number of data subjects
c) result in a high risk’.
Not on a large scale if:
the processing concerns personal data from patients or clients by an
- individual physician,
- other health care professional
- lawyer”
Art. 29 Working Party Guidelines:
- data subject is a relevant part of population
- volume of data processed
- permanence or duration of data processing activity
- geographical extentof the processing activity
Voluntary designation of the DPO
Art. 37 (4):
the controller or processor may or, where required by Union or Member State law shall, designate a data protection officer.
Once the voluntary DPO has been appointed he/ she assumes the tasks and the responsibilities laid down in the GDPR
The DPO of the Processor
Article 37 applies to both controllers and processors with respect to the designation of a DPO
Depending on who fulfils the criteria on mandatory designation:
- only the controller
- only the processor
- both the controller and its processor
are required to appoint a DPO (who should then cooperate with each other).
Group Data Protection Officer
Art. 37 (2):
A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
The assessment of easy accessibility:
the different languages used by the parties involved
Internal or External DPO
Art. 37 (6):
the DPO can be:
- internal (an employee of the controller/processor)
- external (on the basis of a service contract)
Appointment as DPO can be for a limited period of time
Internal DPO:
«an “employee” of the controller or processor»
Art. 37(6) Natural person
- supported by a special office with the necessary expertise for the purpose of fulfilling his or her duties.
External DPO:
Legal person:
- as long as the natural person suitable to act as a point of contact with the data subjects and the Supervisory Authority is indicated
- appropriate to identify within the organization of the controller or processor an internal person as a contact person for the DPO.
Internal DPO
Pro
- Better insight into the entit’s business and ongoing acitivities
- Easier to setting up the DPMS according to entity’s needs
- Larger the entity, more time consuming the monitoring
- Easier contact point for every group entity
Raccomendable for
- Large companies
- Group structures
- Entities carrying out high risk processing
External DPO
Pro
- Pre-existing expertise
- Often adequate insurance covering
- No employment contract (therefore no contractual obligation)
Raccomendable for
- Small and medium size companies
The Data protection officer:
position
Art. 38 (1):
shall be early involved in all matters concerning the processing of personal data and advise on impact assessments
Art. 38 (3) and (6) :
Must enjoy a degree of independence:
- does not receive any instructions
- not be dismissed or penalised
- may fulfil other tasks and duties if do not result in a conflict of interests
Art. 38 (3):
- report directly to the data controller
Art. 38 (4):
- can be addressed by data subjects
Art. 38 (5):
-Duty of confidentiality
The Data protection officer:
position
Internal vs External
If DPO is Internal:
- No senior management positions or with specific functions
(e.g., managing director; member of the board of directors; general manager; IT manager, head of audit and/or risk management, head of the prevention and protection service, etc.), - No employee with decision-making power regarding the purposes and methods of processing
(e.g., human resources management, marketing management, financial management, etc.).
If DPO is external:
- no conflict of interest
(e.g., IT service provider, software-house, etc.).
The Data protection officer:
liability
The GDPR does not provide for rules on the DPO’s liability
It is up to Member State to provide for such rules
(e.g.
- contractual liability;
- liability based on the employment relationship between the controller/processor and the DPO;
- tort law)
