New EU data protection law: Data Protection Officer

The General Regulation on Data Protection (GDPR) which will apply from 25th May 2018, introduces the position of the Data Protection Officer (DPO). The DPO shall be the contact person for and shall be involved in all data protection related issues of the given entity. The DPO is either an employee (so called internal DPO) or a third-party contractor (so called external DPO). The DPO is an organ within the company which liaises with the authority, the company and the data subjects.

Designation

Both controllers and processors may be obliged to designate a DPO. Such obligation applies to (i) public bodies (except for courts) (ii) controllers and processors, the core activities of which consist of regular and systematic monitoring of data subjects on a large scale or large-scale processing of special categories of data (such as racial or ethnic origin, religion, health etc.) or data on criminal convictions and offences. Insurance companies, medical-service providers, but possibly also companies which maintain loyalty programs or video surveillance systems, must designate a DPO. In case of the intended expansion of services it shall be assessed whether the expansion entails no designation obligation. In accordance with the flexibility clause the member states may adopt special regulations in relation to the designation of the DPO.

A group of undertakings may appoint a single DPO, but he/she shall be easily accessible from each establishment. When designating a DPO it shall always be ensured that his/her other tasks within the company may not lead to a conflict of interest. Such conflict would occur for example in case of a marketing manager.

Independence

Designation of a DPO will not relieve the company of the liability for the compliance with the GDPR. The DPO may neither receive instructions nor be dismissed or penalized in relation to performing his/her tasks. However, this shall not prevent the company from asserting damage claims under the relevant national laws. The company must provide resources necessary to carry out the DPO’s tasks and grant him/her access to processing operations. The DPO shall directly report to the highest management level of the company.

Qualities and duties

The DPO shall have professional experience and expert knowledge in the field of data protection law and practices. The DPO shall receive support from the other departments of the company, especially from IT or legal department, or where necessary from a separate team.

The DPO shall participate in all issues within the company which relate to the protection of personal data. The DPO has to collect and analyze information on data processing and make recommendations accordingly. In particular, the DPO provides information on obligations under the GDPR, the national data protection laws and internal privacy policies, monitors compliance therewith and cooperates with the supervisory authority. In relation to the performance of his/her tasks, the DPO shall be bound by confidentiality.

Information requirements

The contact details of the DPO (not necessarily his/her name) shall be published in the first place on the website and in intranet. Furthermore, the contact details of the DPO shall be communicated to the supervisory authority.

Should you have any queries, please do not hesitate to contact one of our offices.