No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

 

More information:

On the same topic:
Did you find your answer?

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

  • may not give instructions to the DPO with regard to the performance of their DPO duties;
  • may not penalise or dismiss the DPO for performing their tasks.

 

More information:

On the same topic:
Did you find your answer?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information:

On the same topic:
Did you find your answer?

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

 

On the same topic:
Did you find your answer?

The task of the DPO include, among others:

  • to inform and advise the organisation and its employees on data protection compliance;
  • to monitor data protection compliance;
  • to provide advice on requests concerning the data protection impact assessment (DPIA);
  • to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
  • to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

 

More information:

Did you find your answer?

The appointment of a DPO is mandatory in the following three cases:

  • the organisation is a public authority;
  • the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
  • the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

 

More information:

Did you find your answer?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

Did you find your answer?

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

 

More information:

 

On the same topic:
Did you find your answer?

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

 

More information:

 

Did you find your answer?

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

  • exercising the right to freedom of expression and information (e.g. for journalistic purposes);
  • compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
  • the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

 

More information:

On the same topic:
Did you find your answer?
Subscribe to