(Data Protection News & Services)
Under the General Data Protection Regulation (GDPR), individuals have several rights over their personal data (i.e. right of access, right to data portability etc.)
Controllers and to some extent processors of personal data must be able to handle individual’s rights requests without delay and, in any event, within a month of the receipt of the request. Therefore, they should implement all the technical and organisational measures necessary to respond efficiently to any potential inquiry.
Under the General Gata Protection Regulation (GDPR), controllers must now now:
Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.
When an organisation appoints a Data Protection Officer whether on a voluntarily basis or because its processing activities meet the criteria set out in the GDPR (see here, for more details), it should pay attention to the following points at the time of the DPO’s appointment:
The contractual relationship between the DPO and the Controller or Processor
The skills and level of expertise of the DPO
The position of the DPO within the company organisation and the resources to be allocated
Under the General Data Protection Regulation (GDPR), when an organisation must or choose to appoint a Data Protection Officer (see here), the latter must, at least, be in charge of the following tasks:
• informing and advising the controller or the processor and their employees who carry out processing operations of their obligations according to this Regulation and to other Union or Member State data protection provisions
• monitoring compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits ;
• Providing advice where requested as regards the data protection impact assessment and monitor its performance;
• Cooperating with the supervisory authority;
• Acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation.
The designation of a Data Protection Officer (DPO) is either mandatory or voluntary depending (i) on the kind of organisation, (ii) its activities and/or (iii) the type of processing operations it carries out (e.g. scale, type of data etc.).
According to article 37 (1) of the General Data Protection Regulation (GDPR) the designation of a DPO is required in three specific cases:
Where public authority or body carries out processing operations (case 1);
Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (case 2); or
Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. (case 3)