Data Protection Officer (DPO)

 [text_block id=”5df55a3e9d5204bc85efde258988c98a” content=”‹¨›p‹˜›Published by:‹¨›/p‹˜›‹¨›div id‹´›‹²›main-title‹²›‹˜›EUROPEAN DATA PROTECTION SUPERVISOR‹¨›/div‹˜›‹¨›div id‹´›‹²›sub-title‹²› class‹´›‹²›hidden-xs‹²›‹˜›The EU‹³›s independent data protection authority.‹¨›/div‹˜›‹¨›p‹˜›‹¯›nbsp;‹¨›/p‹˜›‹¨›div‹˜›‹¨›h5 id‹´›‹²›‹²›‹˜›‹¨›strong‹˜›What you should know about the Data Protection Officer‹¨›/strong‹˜›‹¨›/h5‹˜›‹¨›p‹˜›The primary role of the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3099#data_protection_officer‹²› rel‹´›‹²›nofollow‹²›‹˜›data protection officer (DPO)‹¨›/a‹˜› is to ensure that her organisation ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3110#processing_pd‹²› target‹´›‹²›_blank‹²› rel‹´›‹²›noopener‹²›‹˜›processes‹¨›/a‹˜› the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3110#personal_data‹²› rel‹´›‹²›nofollow‹²›‹˜›personal data‹¨›/a‹˜› of its staff, customers, providers or any other individuals (also referred to as ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3099#data_subject‹²› rel‹´›‹²›nofollow‹²›‹˜›data subjects‹¨›/a‹˜›) in compliance with the applicable data protection rules. In the EU institutions and bodies, the ‹¨›a href‹´›‹²›https://edps.europa.eu/sites/edp/files/publication/reg_45-2001_en.pdf‹²› rel‹´›‹²›nofollow‹²›‹˜›applicable Data Protection Regulation‹¨›/a‹˜› (Regulation (EU) 2018/1725) obliges them each to appoint a DPO. ‹¨›a href‹´›‹²›http://eur-lex.europa.eu/legal-content/EN/TXT/?uri‹´›OJ:L:2016:119:TOC‹²› rel‹´›‹²›nofollow‹²›‹˜›Regulation (EU) 2016/679‹¨›/a‹˜›, which obliges some organisations in EU countries to appoint a DPO, will be applicable as of 25 May 2018.‹¨›/p‹˜›‹¨›h5 id‹´›‹²›‹²›‹˜›‹¨›strong‹˜›Appointing a DPO‹¨›/strong‹˜›‹¨›/h5‹˜›‹¨›p‹˜›The appointment of a DPO must, of course, be based on her personal and professional qualities, but particular attention must be paid to her expert knowledge of data protection. A good understanding of the way the organisation operates is also recommended.‹¨›/p‹˜›‹¨›h5 id‹´›‹²›‹²›‹˜›‹¨›strong‹˜›Position of the DPO in the organigramme‹¨›/strong‹˜›‹¨›/h5‹˜›‹¨›p‹˜›The DPO is an integral part of the organisation, making her ideally placed to ensure compliance. Nevertheless, the DPO should be able to perform her duties independently. In the ‹¨›a href‹´›‹²›https://europa.eu/european-union/about-eu_en‹²› rel‹´›‹²›nofollow‹²›‹˜›EU institutions and bodies‹¨›/a‹˜›, there are a number of assurances guaranteeing this independence:‹¨›/p‹˜›‹¨›ol‹˜›‹¨›li‹˜›The ‹¨›a href‹´›‹²›https://edps.europa.eu/sites/edp/files/publication/reg_45-2001_en.pdf‹²›‹˜›applicable rules‹¨›/a‹˜› for EU institutions and bodies expressly provide that the DPO shall not receive any instructions regarding the performance of her duties;‹¨›/li‹˜›‹¨›li‹˜›There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any. To avoid conflict, it is recommended that:‹¨›ul‹˜›‹¨›li class‹´›‹²›test‹²›‹˜›a DPO should not also be a ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3098#controller‹²›‹˜›controller ‹¨›/a‹˜›of processing activities (for example if she is head of Human resources)‹¨›/li‹˜›‹¨›li class‹´›‹²›test‹²›‹˜›the DPO should not be an employee on a short or fixed term contract‹¨›/li‹˜›‹¨›li class‹´›‹²›test‹²›‹˜›a DPO should not report to a direct superior (rather than top management)‹¨›/li‹˜›‹¨›li class‹´›‹²›test‹²›‹˜›a DPO should have responsibility for managing her own budget.‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›/li‹˜›‹¨›li‹˜›The organisation must offer staff and resources to support the DPO to carry out her duties. In this respect, DPOs in EU institutions and bodies can be seconded by an assistant or deputy DPO, and can rely on data protection coordinators (DPCs) in each section of the organisation. Access to resources also includes training facilities.‹¨›/li‹˜›‹¨›li‹˜›The DPO should have the authority to investigate. In EU institutions and bodies, for instance, DPOs have immediate access to all personal data and data processing operations; those in charge are also required to provide information in reply to her questions.‹¨›/li‹˜›‹¨›li‹˜›A minimum term of appointment and strict conditions for dismissal must be set out by the organisation for a DPO post. In the EU institutions and bodies, the DPO is appointed for a period between 2 and 5 years, may be reappointed for up to a maximum of 10 years and can be dismissed only with the consent of the EDPS.‹¨›/li‹˜›‹¨›/ol‹˜›‹¨›h5 id‹´›‹²›‹²›‹˜›‹¨›strong‹˜›Tasks of the DPO‹¨›/strong‹˜›‹¨›/h5‹˜›‹¨›p‹˜›The DPO has to ensure that the data protection rules are respected in cooperation with the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3099#data_protection_authority‹²› rel‹´›‹²›nofollow‹²›‹˜›data protection authority‹¨›/a‹˜› (for the EU institutions and bodies, this is the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3100#edps‹²› rel‹´›‹²›nofollow‹²›‹˜›EDPS‹¨›/a‹˜›). In the EU institution and bodies, the DPO must:‹¨›/p‹˜›‹¨›ul‹˜›‹¨›li‹˜›Ensure that ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3098#controller‹²› rel‹´›‹²›nofollow‹²›‹˜›controllers‹¨›/a‹˜› and ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3099#data_subject‹²› rel‹´›‹²›nofollow‹²›‹˜›data subjects‹¨›/a‹˜› are informed about their data protection rights, obligations and responsibilities and raise awareness about them;‹¨›/li‹˜›‹¨›li‹˜›Give advice and recommendations to the institution about the interpretation or application of the data protection rules;‹¨›/li‹˜›‹¨›li‹˜›Create a register of processing operations within the institution and ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3108#notification‹²› rel‹´›‹²›nofollow‹²›‹˜›notify‹¨›/a‹˜› the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3094‹²› rel‹´›‹²›nofollow‹²›‹˜›EDPS‹¨›/a‹˜› those that present specific risks (so-called ‹¨›a href‹´›‹²›https://edps.europa.eu/taxonomy/term/129‹²› rel‹´›‹²›nofollow‹²›‹˜›prior checks‹¨›/a‹˜›);‹¨›/li‹˜›‹¨›li‹˜›Ensure data protection compliance within her institution and help the latter to be ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3095#accountability‹²› rel‹´›‹²›nofollow‹²›‹˜›accountable ‹¨›/a‹˜›in this respect.‹¨›/li‹˜›‹¨›li‹˜›Handle queries or ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3098#complaint‹²› rel‹´›‹²›nofollow‹²›‹˜›complaints ‹¨›/a‹˜›on request by the institution, the controller, other person(s), or on her own initiative;‹¨›/li‹˜›‹¨›li‹˜›Cooperate with the ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3100#edps‹²› rel‹´›‹²›nofollow‹²›‹˜›EDPS ‹¨›/a‹˜›(responding to his requests about ‹¨›a href‹´›‹²›https://edps.europa.eu/node/3103#investigation‹²› rel‹´›‹²›nofollow‹²›‹˜›investigations‹¨›/a‹˜›, complaint handling, inspections conducted by the EDPS, etc.);‹¨›/li‹˜›‹¨›li‹˜›Draw the institution‹³›s attention to any failure to comply with the applicable data protection rules.‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›p‹˜›‹¯›nbsp;‹¨›/p‹˜›‹¨›h5 id‹´›‹²›‹²›‹˜›‹¨›strong‹˜›More information‹¨›/strong‹˜›‹¨›/h5‹˜›‹¨›p‹˜›List of the DPOs appointed by the EU institutions and bodies:‹¨›br /‹˜›‹¨›a href‹´›‹²›https://edps.europa.eu/node/53‹²› rel‹´›‹²›nofollow‹²›‹˜›https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/DPOnetwork‹¨›/a‹˜›‹¨›/p‹˜›‹¨›p‹˜›The following non-exhaustive list is a selection of documents for further reading about DPOs:‹¨›/p‹˜›‹¨›p‹˜›‹¨›a href‹´›‹²›https://edps.europa.eu/sites/edp/files/publication/2012-12-17_dpo_status_web_en.pdf‹²› rel‹´›‹²›nofollow‹²›‹˜›Report on the Status of Data Protection Officers‹¨›/a‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›a href‹´›‹²›https://edps.europa.eu/sites/edp/files/publication/10-10-14_dpo_standards_en.pdf‹²› rel‹´›‹²›nofollow‹²›‹˜›Professional Standards for Data Protection Officers of the EU institutions and bodies‹¨›/a‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›a href‹´›‹²›https://edps.europa.eu/sites/edp/files/publication/13-01-25_dpc_survey_report_en.pdf‹²› rel‹´›‹²›nofollow‹²›‹˜›Survey on the function of DPC at the EU Commission‹¨›/a‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›a href‹´›‹²›https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en‹²› target‹´›‹²›_blank‹²› rel‹´›‹²›noopener‹²›‹˜›The original piece on 20/5/2019‹¨›/a‹˜›‹¨›/p‹˜›‹¨›p‹˜›#EDPS, #DPO, #GDPR, #EU‹¨›/p‹˜›‹¨›p‹˜›‹¯›nbsp;‹¨›/p‹˜›‹¨›p‹˜›‹¯›nbsp;‹¨›/p‹˜›‹¨›/div‹˜›” paragraph_whitespace=”false” text_size=”” line_height=”” text_color=”” margin=”0px 0px 15px 0px” class=”” _fw_coder=”aggressive” __fw_editor_shortcodes_id=”d1ad5ece3be53dad0957927d1e07919e”][/text_block]