Data Protection Officer – learn more

 

 

Data Protection Officer

The Data Protection Officer

The Data Protection Officer («DPO») is a role introduced by the GDPR and must not be confused with the processor. The controller or the processor designates the Data Protection Officer to have support, advice, training and information to fully respect the requirements of the GDPRThe DPO cooperates with the supervisory authority (and the DPO’s contact details must be communicated to the supervisory authority), is a contact point for data subjects with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR.

The DPO may be a staff member of the controller or the processor or an external natural person

The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The DPO shall directly report to the highest management level of the controller or the processor.

The DPO is not personally responsible for non-compliance with the requirements of the GDPR. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR: data protection compliance is a responsibility of the controller or the processor.

Obligation to appoint the DPO

Both controllers and processors may be obliged to appoint a DPO. The mandatory designation is required in the following cases: public authority, controllers and processors with a core business which implies a regular and systematic monitoring of data subjects on a large scale or processing of special categories of data or data relating to criminal convictions and offences. Therefore, private controllers and processors need to take into account: core business, regular and systematic monitoring, large scale, category of personal data.

Core activities can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.

When determining whether the processing is carried out on a large scale, the factors which should be considered are: the number of data subjects, the territorial extent, the volume and the range of different data items, the duration and persistence of the processing activity.

The meaning of regular and systematic monitoring is not clarified in the GDPR, but it clearly includes all forms of tracking and profiling on the Internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment. Regular may include recurring or repeated activities carried out at particular intervals for a particular period, constantly or periodically taking place. Systematic may be considered as meaning activities occurring according to a system or prearranged, organised activities, activities taking place as a part of a general plan for data collection or carried out as part of a strategy.  

Note that European Union or Member State law may require the designation of the DPO in other situations as well. 

It is possible to appoint the DPO on a voluntary basis. It is useful and a good practice, encouraged by the supervisory authorities and by the Working Party 29, set up by the repealed Directive 95/46/EC.

When the DPO is appointed on a voluntary basis, the requirements under the GDPR will apply to the designation, position and tasks as if the designation had been mandatory (e.g.: assessment of professional qualities, written appointment, publication of the DPO’s contact details for data subjects and communication to the supervisory authority).

The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. No specific training course is required.

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.

Therefore, relevant skills and expertise include:

1. expertise in data protection national and international legislation and practices, including an in-depth understanding of the GDPR

2. understanding of the processing operations carried out

3. understanding of information technologies and data security

4. knowledge of the specific business activity and organisation of the controller or the processor

5. ability to offer appropriate recommendations and advice in order to design, control and maintain an organised data protection system, cooperating in the implementation of a set of measures (including data security) and safeguards adequate to the organisation of data processing operations envisaged

6. ability to promote a data protection culture in the organisation, also by organising training.

Tasks of the DPO

The GDPR entrusts the DPO, among others, with the duty to monitor compliance with the GDPR. The GDPR further specifies that the DPO should assist the controller and the processor, provide advice, issue recommendations, and monitor internal compliance with the GDPR. Therefore, the controller or the processor should seek the DPO’s advice and support to monitor the respect of the requirements of the GDPR.

In order to do this, the DPO must:

1. collect any information useful to get to know the processing activities carried out and the organisation in which they are performed, so as to identify which are the processing activities and their characteristics

2. analyse and check that processing performed is compliant with the GDPR

3. inform, give advice and guidance or suggest appropriate procedures to comply with the GDPR

4. organise training for persons authorised to data processing

5. undertake to be involved to give recommendations and guidelines for data processing activities since their design

6. be the contact point for the supervisory authority and data subjects.

Therefore, the DPO plays a key role in fostering a data protection culture within the organisation and helps to implement essential elements of the GDPR, such as the principles relating to processing, lawfulness of processing, rights of data subjects, data protection by design and by default, Records of processing activities, security of processing, and notification and communication of data breaches.

If a data protection impact assessment is carried out, the controller or the processor should seek the DPO’s advice. The GDPR tasks the DPO with the duty to monitor its performance.

As far as the Records of processing activities are concerned, it is the controller or the processor, not the DPO, who is required to maintain the Records of processing activities. However, nothing prevents the controller or the processor from assigning the DPO the task of maintaining the Records of processing activities. Such Records should be considered as one of the tools enabling the DPO to perform the tasks of monitoring compliance, informing and advising the controller or the processor.

Conflict of interests and performance of tasks in an independent manner

The GDPR requires that the tasks and the skills of the DPO should not result in a conflict of interests. This means, first, that the DPO cannot hold a position which leads the DPO to determine the purposes and the means of data processing. As a rule of thumb, conflicting positions within the organisation may include management positions (e.g.: chief executive, chief operating, chief financial and HR, head of marketing department, head of IT department) but also other roles lower down in the organisational structure if such positions lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise if an external DPO is asked to represent the controller or the processor before the courts in cases involving data protection issues.

There are several safeguards which ensure that the DPO acts in an independent manner.The DPO should receive no instruction by the controller or the processor regarding the exercise of the DPO’s tasks. There should be no dismissal or penalty by the controller or by the processor for the performance of the DPO’s tasks and no conflict of interests with possible other tasks and duties which are performed by the DPO.

Internal or external DPO

The DPO may be a staff member of the controller or the processor (internal DPO) or fulfil the tasks on the basis of a service contract (external DPO). However, the appointment shall be in writing and the DPO shall be a natural person. Where appropriate, the DPO may fulfil the function supported by a team, but it shall be clearly identified who the DPO is (the DPO is a single individual). If the DPO is external, the DPO should fulfil the tasks on the basis of a service contract. Such contract can be concluded with the natural person or an organisation (e.g.: a company), but the DPO shall be clearly identified in the person who is in charge of the tasks as a DPO, even though the tasks are carried out with the support of a team.

Appointment of the DPO jointly

group of undertakings or organisations may appoint a single DPO provided that the DPO is easily accessible from each establishment. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority and also internally within the organisation. In order to ensure that the DPO is accessible, whether internal or external, it is important to make sure that contact details are available. The DPO must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. The availability of a DPO (whether physically on the same premises as employee, via a hotline or other secure means of communication) is essential to ensure that data subjects and supervisory authorities will be able to contact the DPO. To ensure that the DPO is accessible, it is highly recommended that the DPO is located within the European Union.

Appointment and communication to the supervisory authority of the DPO

The GDPR recognises the DPO as a key player in the new data protection governance system and provides for conditions for the appointment, position and tasks of the DPO.

The appointment of the DPO must be in writing and determine the tasks, having previously ascertained that the person has the professional qualities and skills required by the GDPR. The appointment can be freely drawn up.

The DPO’s contact details should be communicated to the supervisory authority: in Italy there is a telematic procedure (Italian version) to be used for such obligation (https://servizi.gpdp.it/comunicazione-rpd/). In order to know what data should be communicated and how to fill in the communication, you can get the template in PDF and the instructions (Italian version) made available by the Italian supervisory authority.

The Italian supervisory authority has also made available a template (Italian version) to communicate the DPO’s revocation.

 

To learn more, read FAQs or contact me.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Privacy Policy - Cookie Policy - Website terms & conditions - Website map


Tiziana Minella - Via Vittoria Colonna, 32 - 10155 Torino (TO - Italy) - VAT IT03152590018 - mob. +39 366.4761338 - + 39 338.6626635