Firm Creobis, Berchem, results 7 March 2017

Transcription

1 / Data Legal Protection minds Officer Firm Creobis, Berchem, results 7 March 2017

2 /INTRODUCTION Personal data protection official (Art. 18,2,2 Dir 95/46) Data protection officer Controller and processor obligation Art GDPR, Preamble WP 29, 16/EN WP243, 13/12/2016 FAQ WP243 2

3 /MANDATORY DPO You MUST appoint a DPO in any case where: Situation 1: processing by public authority Situation 2: core activities = regular and systematic monitoring on a large scale Situation 3: core activities = large scale processing of health/sensitive/biometric/genetic/judicial data Situation 4: required by EU or national law NOT relevant: likely to result in a high risk to the rights and freedoms of natural persons 3

4 /VOLUNTARY DPO You MAY appoint a DPO: in all other situations WP29: recommended No confusion about title, status, position or tasks (chief privacy officer, data protection desk, ) Advantages Mitigating factor for administrative fines? Legitimate interest DPIA Accountability 4

5 /SITUATION 2: 6 CRITERIA (1) Core activities primary vs ancillary Consist of processing operations Which by nature, scope and/or purposes 5

6 /SITUATION 2: 6 CRITERIA (2) Require a regular and systematic Regular: one or more of the following ongoing or occurring at particular intervals, recurring or repeated constantly or periodically taking place Systematic: one or more of the following Acccording to a system Pre-arranged, organised or methodical Part of a general plan/strategy 6

7 /SITUATION 2: 6 CRITERIA (3) Monitoring Monitoring processing Tracking and profiling on WWW Behavorial advertising Also off line On a large scale #data subjects: absolute or proportion Volume of data Duration/permanence of processing Geographical extent 7

8 /SITUATION 3: 4 CRITERIA Core activities Consist of processing On a large scale Of sensitive, health, genetic, biometric or criminal data 8

9 /MODALITIES Internal or external DPO Single DPO possible for group of undertakings if easily accessible several public bodies taking into account organisational size and structure Associations and bodies representing controllers or processors DPO team: clear assignment of roles necessary Effective and well-resourced 9

10 /WHO CAN BE DPO? Professional qualities and, in particular expert in data protection law and practices No conflict of interests: WP29 As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources, or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. 10

11 /POSITION OF DPO (1) Controller/processor must Give necessary resources: management support, support from other services, time, premises, facilities, equipment, staff, internal communication Give access to personal data/processing operations Maintain expert knowledge (training) 11

12 /POSITION OF DPO (2) To be involved properly and timely in all data protection issues: inform and consult Independence: no instructions but no decision power No dismissal/sanctions for DPO work Direct report to highest management Duty of secrecy 12

13 /POSITION OF DPO (3) Controller/processor remains liable for processing operations Contact point Data subjects Data protection authority Controller/processor employees 13

14 /MINIMAL TASKS OF DPO (1) Collect information and identify processing activities Analyse and check compliance Inform, advise and issue recommendations Monitor compliance, incl. policies, assignment of responsibilities, awareness-raising, training, audits 14

15 /MINIMAL TASKS OF DPO (2) Advice and monitor DPIA Contact point for and co-operate with supervisory authority Due regard to the processing risk, considering the nature, scope, context and purposes of processing 15

16 /MISCELLANEOUS (1) Document and justify Mandatory/voluntary DPO Deviate from DPO advice First DPO, then DPIA DPO can keep records of processing 16

17 /MISCELLANEOUS (2) Make agreement with DPO: Secrecy Resources Nature, scope, context and purposes of processing Scope of assignment Conflict of interest Records of processing 17

18 /CONTACT Gerrit Vandendriessche Tour&Taxis Building Avenue du Port 86C, B Brussels 18