One of the most important novelties in the data protection policy within European union is the legal regulation of Data Protection Officer.
It is a person with brand new responsibilities and obligations, introduced by the proposed EU Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, available here).
Who is Data Protection Officer? Is it mandatory? What are the requirements for private companies? This article gives an overview of these issues.
The legal regulation of Data Protection Officer is one of the biggest changes included in the new regulatory frame of EU data protection. It is introduced in Articles 35-37 of the cited Proposal of the Regulation. These articles set the basic rights and obligations of the Officer.
Who has a duty to designate Data Protection Officer?
Under Article 35(1), the controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
(b) the processing is carried out by an enterprise employing 250 persons or more;
(c) the core activities of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their purposes,
require regular and systematic monitoring of data subjects.
The following subsections of Article 35 introduce several exceptions, as well as further details on how companies and public authorities might designate the Officers.
The position of the Data Protection Officer
Subsections of Article 35 and Article 36 deals with the position of the Officer. The data protection officer should be properly and in a timely manner involved in all issues, which relate to the protection of personal data. The tasks should be performed independently. The Officer shall directly report to the management of the controller or the processor. Furthermore, the Officer should be provided with any staff, premises, equipment and any other resources necessary to carry out the duties and tasks.
The tasks of the Data Protection Officer
Pursuant to the Article 37, the major tasks of the Officer are (the list is not final):
- to inform and advise the controller or the processor;
- to monitor the implementation and application of the policies, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
- to monitor the implementation and application of the EU Regulation;
- to monitor the documentation, notification and communication of personal data breaches;
- to monitor the response to requests from the supervisory authority;
The Article includes further specific tasks of the Officer. Moreover, the Commission is empowered to adopt delegated acts for the purpose of specifying the criteria and requirements.
Obligations associated with Data Protection Officer
If the controller or the processor has an obligation to designate the Officer, the Regulation includes rules on how to do it, where it should be notified, as well as certain obligations about the internal rules of the company. The Officer would also play an important role in the relationship between the processor or the controller and the supervisory authority. Not to forget, that the Commission is empowered to further specify the criteria and characteristics of all positions involved.
This article gives a brief overview of the Data Protection Officer legal issues. However, the topic needs further analysis. Therefore, Data IT Law would focus on this topic, since in the context of European union, it might influence a lot of people and companies. Until then, feel free to contact us with any questions, remarks or your experience with the Data Protection Officers.
Note: This article is intended as a summary of issues. Its purpose is not a to provide legal advice or create an attorney-client relationship between you and the author of this article.