Article 37
Designation of the data protection officer
(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;
(54) Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;
Regulation
Art. 37 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
|
Directive
Art. 18 (...) 2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions: - where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or - where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular: - for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive - for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2), thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. |
Germany
Section 4f (1) Public and private bodies which process personal data automatically shall appoint in writing a data protection official. Private bodies are obliged to appoint such an officer within one month of commencing their activities. The same shall apply where personal data are processed by other means and at least 20 persons are permanently employed for this purpose. The first and second sentences above shall not apply to private bodies which generally deploy a maximum of nine employees to carry out the automatic processing of personal data on an ongoing basis. In so far as the structure of a public body requires, the appointment of one data protection official for several areas shall be sufficient. In so far as private bodies carry out automated processing operations which are subject to prior checking or process personal data in the course of business for the purposes of transfer, anonymized transfer, or market or opinion research, they are to appoint a data protection official irrespective of the number of persons deployed to carry out automatic processing. (2) Only persons who possess the specialized knowledge and demonstrate the reliability necessary for the performance of the duties concerned may be appointed data protection official. The required level of specialized knowledge is determined in particular according to the scope of data processing carried out by the controller concerned and the protection requirements of the personal data collected or used by the controller concerned. A person from outside the body concerned may also be appointed data protection official; monitoring shall also extend to personal data which are subject to professional or official secrecy, in particular tax secrecy pursuant to Section 30 of the Fiscal Code. ... |
Romania
|