What is the role of a DPO?
The data protection officer (DPO) assists and supports data protection compliance for various businesses and other organizations, regardless of their area of operation. In some cases, the appointment of a DPO is mandatory under the European General Data Protection Regulation (GDPR), in other cases it is optional – but in all cases, only a DPO with professional expertise in data protection law and practice can perform the tasks that ensure that a business or organization is compliant with current data protection laws and would not be subject to data protection fine due to any non-compliance.
An employee or an external expert (such as a law firm) may be appointed as DPO. However, in the case of employees, conflict of interest rules may be particularly relevant and may be an obstacle to designating such persons as DPO (for example, typically the managers of the company cannot perform DPO duties). These obstacles may be less likely to arise in the case of an external expert.
In which cases is it mandatory to designate a DPO?
The GDPR provides for the mandatory designation of a DPO in several cases:
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (for example: organizations using software solutions for monitoring data subjects’ behavior, artificial intelligence-based monitoring as a core business);
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data (for example: health data) and personal data relating to criminal convictions and offences (for example: health service providers);
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
In which cases is it recommended to designate a DPO even if it is not mandatory?
In addition to the above mandatory cases, a company or organization may also decide to designate a DPO to support its data protection compliance. A number of large US-based technology companies have done the same; they would not typically be required to designate a DPO under the GDPR, but have chosen to do so because of their extensive technology services and the specific nature of the given organization or group. The designation of a DPO may also be recommended for other types of companies or groups of companies, in particular in the case of mass processing of personal data using new technologies.
How can we help you as your DPO with consistent availability?
As a DPO, we provide full and daily support in relation to our customers’ data protection compliance. This is typically provided for a fixed monthly fee:
- providing professional advice on data protection compliance, including answering data protection and data security questions that arise on a daily basis;
- review and comment on data protection and related internal documentation and contracts;
- providing advice on data protection compliance of internal processes, procedures and regulatory solutions;
- providing trainings on data protection and data security for employees and experts of the company;
- in the event of a personal data breach, immediate legal advice and support in handling the personal data breach in accordance with data protection laws and in making the necessary notifications to the authorities and to the general public as necessary;
- liaising with the data protection supervisory authority as necessary.
Our success stories in this field
In recent years, we have provided ongoing data protection advice to a European-based technology company, enabling it to operate free from data protection risks and to become a model company in its field.
Labels: Data protection officer (DPO) GDPR (General Data Protection Regulation) Data protection audit Data protection regulations Data protection consulting Data protection guidelines DPO services Data protection register Data protection policy Data protection risk assessment Data protection supervisory authority Data breach Mandatory data breach notification Data protection training Data protection regulation
