The General Data Protection Regulation (GDPR) introduces new data protection novelties. One of these novelties is the obligation imposed of appointing a new person, the Data Protection Officer (DPD or DPO in English). This obligation will affect the from data proccesing is carried out.
This obligation is framed within the principle of proactive responsibility of the data controller in the field of data protection. It provides a better control and efficiency in line with the above regulations.
Who is the Data Protection Officer?
The Data Protection Officer is a new figure introduced by the General Data Protection Regulation (GDPR).
In order to obtain the data protection delegate certification, the AEPD (Spanish Agency for Data Protection) has promoted a Certification scheme so that those responsible can select professionals whose skills as DPO have been certified by entities accredited by ENAC.
What are the duties of Data Protection Officer?
According to the Certification scheme promoted by the AEPD, the DPO is a professional whose functions are included in article 39 of the GDPR (RGPD in Spanish) and in articles 26 and 27 of the Organic Act on Protection of Personal Data and guarantee of digital rights.
This includes the application of privacy and data protection law.
The DPO shall have at least these following functions:
- To inform and advise the person in charge, or the person in the charge of the processing, and the persons authorized to process personal data under their direct authority, by virtue of the GDPR, the LOPDPGDD and other data protection provisions of the EU or its States members;
- To supervise compliance within the provisions of the GDPR, the LOPDPGDD and other data protection provisions of the EU and its Member States’ data protection laws, as well as he policies of the responsible person or person responsible for the processing of personal data;
- To supervise the assignment of the responsibilities;
- To supervise the awareness and training of the personnel involved in the processing operations;
- To supervise the corresponding audits;
- To provide advice on the data protection impact assessments and monitor their application in accordance with Article 35 GDPR;
- To cooperate and act as an interlocutor with the supervisory authority in matters related to the processing of personal data, including prior consultations reoffered to in art. 36 GDPR
The Data Protection Officer will perform his duties while paying attention to the risks associated with the processing operations, taking into account the nature, scope, context and purpose of the processing.
The DPO will always carry out its functions with complete independence and in an autonomous manner, without instructions, and being directly accountable to the highest hierarchical level.
To perform his functions, the DPO must have specialist knowledge of data protection law and practice, so that DPO is able to carry out his advisory and supervisory tasks, inter alia, the following areas:
- Compliance with processing rules such as the limitation of purpose, minimization or accuracy of data.
- Identification of the legal ground for processing.
- Compatibility assessment for purposes other than those that led to the initial collection of data.
- Establishment of the existence of sectoral regulations that may set specific processing conditions other than those set out in the genral data protection law.
- Creation and implementation of information measures for those affected by data processing.
- Establishment of procedures for the receipt and management of applications for the exercise of rights by interested parties.
- Assessment of requests to exercise rights by interested parties.
- Employing the processors, including the content of the contracts or legal acts that regulate the data processor relationship.
- Identification of instruments for international data transfers that responds to the needs and characteristics of the organization and the reasons that justify the transfer.
- Creation and implementation of data protection policies.
- Data protection audit.
- Establishment and management of records of processing activities.
- Risk analysis of the processing carried out.
- Implementation data protection measures from creation and default data protection appropriate to the risk and nature of processing.
- Implementation of safety measures appropriate to the risk and nature of processing.
- Establishment of procedures for managing data in case of security breaches, including the risk assessment for the rights and freedom of those affected and procedures for notifying the supervisory authorities and those affected.
- Determination of the nedd to carry out the impact assessment on data protection.
- Conducting the data protection impact assessments.
- Relations with supervisory authorities.
- Implementation of training and awareness programs for employees on data protection.
When do you need a Data Protection Officer?
According to Art.37 GDPR, the person in charge and the person in charge of data processing will designate a DPO when:
- It is a authority or public body that processes the personal data
- The main activities are processing operations that require a regular and systematic observation of interested parties on a large scale or,
- The main activities of the responsible or accountable person are the large-scale processing of special categories of personal data, as well as data related to criminal convictions and offenses.