The Office of the Data Protection Commissioner Ireland, recently shared its advice on who needs a Data Protection Officer, their role, responsibilities and obligations...
The Data Protection Officer (DPO)
role is an important GDPR innovation and a cornerstone of the GDPR’s
accountability-based compliance framework. In addition to supporting an
organisation’s compliance with the GDPR, DPOs will have an essential role in acting
as intermediaries between relevant stakeholders (e.g. supervisory authorities,
data subjects, and business units within an organisation).
The DPO will have professional
standing, independence, expert knowledge of data protection and, to quote the
GDPR, be ‘involved properly and in a timely manner’ in all issues relating to
the protection of personal data.
The DPC (Data Protection Commissioner) recommends that all organizations
who will be required by the GDPR to appoint a DPO should do this as soon as
possible and well in advance of May 2018. With the authority to carry out their
critical function, the Data Protection Officer will be of pivotal importance to
an organization’s preparations for the GDPR and meeting the accountability
obligations.
A DPO may be a member of staff at
the appropriate level with the appropriate training, an external DPO, or one
shared by a group of organizations, which are all options provided for in the
GDPR.
It is important to note that DPOs
are not personally responsible where an organisation does not comply with the
GDPR. The GDPR makes it clear that it is the controller or the processor who is
required to ensure and to be able to demonstrate that the processing is in
accordance with the GDPR. Data protection compliance is ultimately the
responsibility of the controller or the processor.
Who needs a DPO?
1.
All public authorities and bodies,
including government departments.
2.
Where the core activities of the organization
(controller or processor) consist of data processing operations, which require
regular and systematic monitoring of individuals on a large scale.
3.
Where the core activities of the organization
consist of special categories of data (ie health data) or personal data
relating to criminal convictions or offences.
Public Authority or Body?
Public authorities and bodies
include national, regional and local authorities, but the concept typically
also includes a range of other bodies governed by public law.
It is recommended, as a good
practice, that private organisations carrying out public tasks or exercising
public authority should designate a DPO.
Core activities can be defined as
the key operations necessary to achieve an organization’s (controller or
processor’s) goals. For example, a private security company which carries out
surveillance of private shopping centres and/or public spaces using CCTV would
be required to appoint a DPO as surveillance is a core activity of the company.
On the other hand, it would not be mandatory to appoint a DPO where an organization
undertakes activities such as payroll and IT support as, while these involve
the processing of personal data, they are considered ancillary rather than core
activities.
Large-scale processing
ü While the GDPR does not define large-scale the following
factors should be taken into consideration.
ü
The number of individuals (data
subjects) concerned – either as a specific number or as a proportion of the
relevant population.
ü
The volume of data and/or the range
of different data items being processed
ü
The duration, or permanence, of the
data processing activity.
ü The geographical extent of the processing activity.
Examples of large-scale processing
include:
ü
Processing of patient data in the
regular course of business by a hospital processing of travel data of
individuals using a city’s public transport system (e.g. tracking via travel cards).
ü Processing of real time Geo-location data of customers of an
international fast food chain for statistical purposes by a
processor specialized in providing these services processing of customer data
in the regular course of business by an
insurance company or a bank.
Examples that do not constitute
large-scale processing include:
- processing of patient data by an
individual doctor
- processing of personal data relating to criminal convictions and offences by an Individual lawyer.
Regular and systematic monitoring
Regular and systematic monitoring
should be interpreted, in particular, as including all forms of tracking and
profiling on the internet, including for behavioral advertising. However, the
definition of monitoring is not restricted to the online environment. Online
tracking is just one example of monitoring the behaviour of individuals.
‘Regular’ is interpreted by
the Working Party 29 (comprising the EU’s data protection authorities) as
meaning one or more of the following:
Ongoing or occurring at particular intervals for a
particular period.
Recurring or repeated at fixed times.
Systematic’ is interpreted as meaning one or more of the following:
Occurring
according to a system
Pre-arranged, organised or methodical
Taking place as part of a general plan for data collection
Carried out as part of a strategy.
Special Categories of Data – these include personal data revealing; racial or
ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, and the processing of genetic data, biometric data for the
purpose of uniquely identifying a natural person, data concerning health or
data concerning a natural person’s sex life or sexual orientation or personal
data relating to criminal convictions and offences.
Best Regards ,
Web Admin
LATVIK SECURE
LATVIK TECHNOLOGIES ™
www.latvikhost.com | https://latviksecure.blogspot.com 
