DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

Size: px

Start display at page:

Download "DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017"

Janice Matthews
5 years ago
Views:

1 DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

2 TOPICS GDPR overview Concept of the DPO Recruitment process Job description Liability Your to do s: GDPR Responsibility and Budget 2

States One of the most wide ranging pieces of legislation passed by

3 BACKGROUND CONSIDERATIONS Entered into force on May 2016, effective from 25 May 2018 and shall be directly applicable to all EU Member States One of the most wide ranging pieces of legislation passed by the EU in recent years, with new concepts introduced and a wider scope 3

4 GDPR OVERVIEW Entered into force on May 2016, effective from 25 May 2018 and shall be directly applicable in all EU Member States Fines: there are two tiers of administrative fines: Up to 10,000,000 or, in the case of undertakings, 2% of global turnover, whichever is the higher or Up to 20,000,000 or, in the case of undertakings, 4% of global turnover, whichever is the higher. Main aspects: new rights for data subjects, including the right to data portability and the "right to be forgotten" in specific cases adequate technical and organizational measures privacy by design and privacy by default records of processing operations, at the level of each controller and processor data protection impact assessment, and the prior consultation with the supervisory authority appointment of the data protection officer ("DPO") - article data breach notification within 72 hours cooperation of the supervisory authorities and one stop shop mechanism, etc. 4

5 THE DPO CONCEPT Key function/position under the GDPR, mandatory for some entities, voluntary for the rest, having attached a strict set of rights, duties and liability prescribed by the GDPR. Advisor Responsible for data privacy compliance Contact person Trainer 5

RECRUITMENT PROCESS (1) MANDATORY APPOINTMENT VOLUNTARY APPOINTMENT personal data processing performed by possible and even recommended (Art.

core activities, personal data processing operations requiring regular and systematic monitoring of data subjects on a large scale entities processing on a large scale, as core activities of special

6 RECRUITMENT PROCESS (1) MANDATORY APPOINTMENT VOLUNTARY APPOINTMENT personal data processing performed by possible and even recommended (Art. 29 WP public authorities or bodies, except for and the Romanian Data Protection Authority) courts acting in their judicial capacity for other processing operations as well entities performing, as core activities, personal data processing operations requiring regular and systematic monitoring of data subjects on a large scale entities processing on a large scale, as core activities of special categories of data or data related to criminal convictions and offences Same legal requirements as in the case of mandatory appointment Main actions: Assessing whether any of the mandatory appointment cases is applicable to the organization If not, assessing the opportunity of a voluntary appointment of a DPO 6

7 RECRUITMENT PROCESS (2) Selection criteria proficient knowledge of data protection law and practices the ability to fulfil a series of tasks expressly provided by the GDPR, as well as any related operations necessary for fulfilling such tasks WP29 Guidance on these criteria: knowledge of data protection law expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR level of expertise proportional with the sensitivity, complexity and amount of data processed by an organization ability to fulfill tasks - refers both to the knowledge of the DPO and also to its position within the organization 7

RECRUITMENT PROCESS (3) Internal DPO vs. External DPO Conflict of interest issues Contractual basis Combination of both internal and external DPO vs.

8 RECRUITMENT PROCESS (3) Internal DPO vs. External DPO Conflict of interest issues Contractual basis Combination of both internal and external DPO vs. consultant DPO appointment in case of a group of companies Possible interpretation of the law: a single DPO may be appointment for all the companies in the group Recommendation: Romanian data controllers should appoint a separate DPO 8

9 JOB DESCRIPTION (1) Informs and advises Monitors Cooperates Monitors the organization and the employees who carry out processing activities of their data privacy obligations Practical insights: training programs, workshops, request for opinion, participation in the business meetings (e.g. product development) organization's GDPR / privacy law / policy compliance Practical insights: operational audit on a risk based approach, periodic reporting, workshops, ensuring permanent compliance of the internal documentation relevant from a data protection perspective with the supervisory data protection authority Practical insights: prepares responses to Authority's requests, assistance during investigations, authority s contact point on any issues regarding the processing activities performed by the organization 9

10 JOB DESCRIPTION (2) Runs/coordinates investigations on the data privacy compliance level of the data controller/data processor Practical insights: cooperating with relevant persons in view of ascertaining potential non-compliances, targeted analyses on the personal data processing operations, red flags on potential data breach PIAs advice data processing operations falling under the PIA obligation, as per art. 35 and 36 GDPR Practical insights: advising on PIA processes establishing responsibilities/competent persons, determining and sharing tasks, determining monitoring and auditing plans, organizing consultation process with the supervisory authority 10

LIABILITY DPOs are not personally responsible (towards data subjects and DPAs) in cases of non compliance with the GDPR Accountability principle controllers and processors bear the burden of proof

11 LIABILITY DPOs are not personally responsible (towards data subjects and DPAs) in cases of non compliance with the GDPR Accountability principle controllers and processors bear the burden of proof regarding GDPR compliance An (internal) DPO cannot be dismissed or penalized for performing its tasks: it may however be dismissed for reasons other than related to the exercise of its DPO duties (Art. 29 WP) penalties may take various forms e.g. absence or delay of promotion, denial from benefits that other employees receive Pay attention to allocation / limitations of liability under contract (internal and external DPO) 11

12 YOUR TO DO S: GDPR RESPONSIBILITY AND BUDGET Assign responsibility and budget for data protection compliance within your organization. Whether or not you will decide to appoint an internal or external DPO, you need to establish the ownership for the GDPR implementation and monitoring, along with the task allocation for the internal business units. Recruit a person with an appropriate level of expertise (see the job requirements for the internal DPO) Be clear and specific in the job description and the applicable corporate governance rules to avoid conflict of interest, and ensure a protected employment status which will apply to DPO under the GDPR. Consider reporting lines supervisory authorities will expect a line direct to the board or the CEO Consider the rules for internal collaboration 12

Corporate Center Building 58-60 Gheorghe Polizu

13 THANK YOU FOR YOUR ATTENTION! Maria Maxim Partner WOLF THEISS Bucharest Corporate Center Building Gheorghe Polizu St., 13th floor Bucharest Tel