Article 37 of the GDPR refers to the Designation of the Data Protection Officer where the controller or the processor shall designate a data protection officer in case where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10
- Group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
- Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
- In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
- The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
- The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
The DPO (data protection officer) role under the GDPR
Although all the EU organisations have to comply with the GDPR, not every single one of the must appoint a DPO. Organizations must evaluate their operations and size and understand whether they need to appoint a DPO. If they do, then the second stage is the designation of a DPO based in the EU and the appointment of such person will not raise any conflicts of interests that may detriment the organization or its compliance.
The DPO’s role was introduced by the EU’s GDPR (General Data Protection Regulation). Among other things, DPOs are monitoring an company’s compliance with the GDPR, informing on the data protection obligations, and stands as a contact person for the data subjects -EU physical persons whose data are processed by the organization – and supervisory authority of the company.
The DPO reports directly to Board of Directors in the organisation, and undertakes the following duties and responsabilities under the GDPR:
- Informs and suggests the organisation and its employees of their data protection obligations under the GDPR.
- Monitors the organisation’s compliance with the GDPR and internal data protection policies and procedures as well as the assignment of responsibilities, training and education of the staff involved in processing the subjects data.
- Advising on whether a DPIA (data protection impact assessment) is necessary, how to conduct one and expected outcomes.
- Serving as the contact point for the supervisory authority on all data protection issues, including data breach reporting.
- Stands as the contact person for data subjects on data protection matters, including DSARs (data subject access requests).
If you qualify in any of the below three situations, then you should appoint a DPO:
- the organisation is a public authority or body.
- the organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- the organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
The fact that the organization is small or medium size does not stand as a factor for exemption from the DPO requirement.
In cases where the organization assess that under GDPR it is not required to appoint a DPO, WP29 (Article 29 Working Party) it is highly encouraging to appoint a DPO as a matter of good practice and to demonstrate compliance with the Regulation.
Under the GDPR the organzitions may choose whether they wish to appoint an in-house DPO or an external/outsurced DPO. The DPO may be a member of the existing staff (internal DPO) or hired for this purpose or outsourced to an independent party.
In any case mentioned above, the DPO must be allowed the necessary resources and authority to perform his/her duties. Given the sensitivity of the role’s duties and responsabilities, the DPO must have the adequate support from the higher level of the organization’s management body as well as cooperation from the rest of the staff.
Given the low supply and high demand in DPO trained professionals as well as the costs of hiring a dedicated in-house DPO and the conflicts of interest that this may give birth to in some cases, many organization across the globe choose the outsourcing option.
Although the GDPR is a EU regulation, it affects also organization outside EU which are processors of EU data subjects. These can be clients, employees, management body etc. In such cases, most organizations based outside EU opt for outsourcing the DPO on the terittorry of EU.
At 7F we are committed to beat the prices and improve the system. Our prices are always tailored according to the business needs and size.
A fair assessment is always indicated to understand the needs and the demand of a DPO.
Friendly cost stands on the following principles among other, and the separation of duties:
- Acting as contact person for the data subjects
- Number of inquiries the DPO has received from the data subjects
- Training of staff
- On-sight inspections
- DPIA s
- IT, AI and web-development specialists opinion and interference where needed