Where can I find an accredited DPO?
What is the role of the licensed DPO in the GDPR?
An accredited DPO takes care of all your personal data.
- The controller and processor shall designate a data protection officer in each case in which:
(a) the processing is carried out by a public authority or public body, except in the case of courts in the exercise of their judicial functions;
(b) a controller or processor is primarily in charge of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic observation on a large scale of data subjects;
(c) the controller or processor is primarily in charge of large-scale processing of special categories of data under Article 9 and of personal data relating to criminal convictions and offenses referred to in Article 10.
2. A concern may appoint a single data protection officer or DPO, provided that the approved DPO can be easily contacted from each branch.
3. Where the controller or processor is a public authority or public body, a single data protection officer may be designated for several such authorities or bodies, taking into account their organizational structure and size.
4. In other cases, or if so required by Union or Member State law, the controller or processor or associations and other bodies representing categories of controllers or processors may or, if so required by Union or Member State law, must designate a data protection officer. The authorized DPO may act for such associations and other bodies representing categories of controllers or processors.
5. The DPO shall be appointed on the basis of his professional qualities and in particular his expertise in data protection law and practice and his ability to perform the tasks referred to in Article 39.
6. The DPO may be a staff member of the controller or processor or may perform the duties under a service agreement.
7. The controller or processor shall disclose and communicate the contact details of the DPO to the supervisory authority.
Does my company need a data protection officer or DPO?
Whether you should hire a DPO depends on a few factors. There are three types of companies that are required to hire a DPO:
- All public sector organizations (except judicial bodies), such as government organizations
- companies that require “regular and systematic observation” of the data processing, for example because of their “nature, extent or purposes” of processing;
- companies that process personal data from a “special category,” such as information about race, political opinions, religion, biometric data, health, sexual orientation or criminal convictions.
It is also important to note that under a previous proposal of the GDPR, a DPO could only be mandatory for companies with more than 250 employees. However, that condition is missing from the final version; thus, company size does not matter now.
Additionally, what the legislation has in mind by the “nature, scope or purposes” is not specifically clarified. Perhaps this refers to big data, but an exact description remains elusive.
Position of the DPO in GDPR legislation?
1. The controller and the processor shall ensure that the DPO is properly and timely involved in all matters relating to the protection of personal data.
2. The controller and the processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing him with access to personal data and processing operations and by providing him with the necessary resources to perform these tasks and maintain his expertise.
3. The controller and the processor shall ensure that the DPO does not receive instructions regarding the performance of those duties. He shall not be dismissed or penalized by the controller or processor for performing his duties. The Data Protection Officer shall report directly to the senior manager of the controller or processor.
4. Data subjects may contact the DPO on any matter relating to the processing of their data and the exercise of their rights under this Regulation.
5. D DPO shall be bound to secrecy or confidentiality in respect of the performance of his duties in accordance with Union or Member State law.
6. The Data Protection Officer or DPO may perform other duties and tasks. The controller or processor shall ensure that these tasks or duties do not create a conflict of interest.
Where can I find a DPO?
The DPO does not necessarily have to be a permanent employee; you can also opt for a consultant. Moreover, an existing employee can also assume the role of DPO, as long as his other duties do not conflict with his job as DPO. Both options can reduce costs, and make finding a suitable DPO much easier.
In addition, the GDPR does not describe the specifications that apply to a DPO. There is no mention of a specific degree or certificate; instead, he must have “expertise in data protection law and practice.” With that broad definition, the way is open for existing workforces, such as legal consultants or privacy officers, to pick up the job of DPO.
In other words, if your organization processes data on a large scale, it is likely that you will need to look for a DPO.