The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information:

On the same topic:
Did you find your answer?

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

 

On the same topic:
Did you find your answer?

The task of the DPO include, among others:

  • to inform and advise the organisation and its employees on data protection compliance;
  • to monitor data protection compliance;
  • to provide advice on requests concerning the data protection impact assessment (DPIA);
  • to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
  • to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

 

More information:

Did you find your answer?

The appointment of a DPO is mandatory in the following three cases:

  • the organisation is a public authority;
  • the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
  • the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

 

More information:

Did you find your answer?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

Did you find your answer?

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

 

More information:

 

On the same topic:
Did you find your answer?

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

 

More information:

 

Did you find your answer?

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

  • exercising the right to freedom of expression and information (e.g. for journalistic purposes);
  • compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
  • reasons of public interest in the area of public health
  • archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
  • the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

 

More information:

On the same topic:
Did you find your answer?

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

 

More information:

 

On the same topic:
Did you find your answer?

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

 

More information:

 

On the same topic:
Did you find your answer?
Subscribe to