menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Sweden) language
Contact our local member in Sweden mail_outline
Visit the website of Lindberg & Saxon account_balance

arrow_backPrevious Article
Article 39
Next Articlearrow_forward

Tasks of the data protection officer

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 39 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 39 keyboard_arrow_up

Key words related to article 39

There is no recital in the Regulation related to article 39.

There is no recital in the Directive related to article 39.

The GDPR

The data protection officer receives several minimum tasks under Article 39:  to inform and advise (1); a control task (2); to act as a point of contact with the supervisory authority (3).

These tasks can be summarized as follows:

1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; The data protection officer shall also advise the controllers where the latter must make an impact analysis relating to data protection pursuant to Article 35;

2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

3. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. The data protection officer shall, of course, cooperate with the supervisory authority.

 

The Regulation specifies that in the performance of his or her tasks, the data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The Directive

Article 18 of the Directive provided, in the very specific case of his or her designation, the purpose of the task of the data protection officer, namely: to ensure that the processing operations do not affect the rights and freedoms of the data subjects. The data protection officer shall have the following tasks:

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive,

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

Potential issues

The different tasks of the data protection officer are likely to require him/her to review the organizational structure of the functions as well as the management rules that currently, in the enterprises or public authorities, relate to the application and the control of compliance with the rules on data protection.

The future data protection officer’s competences are currently often shared between the legal department, the compliance unit, or the already designated data protection officer and these parts of an organisation will need to work closely together in future.

arrow_back Previous ArticleArticle 39Next Article arrow_forward
arrow_back Previous ArticleArticle 39 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on Data Protection Officers (‘DPOs’) - wp243rev.01 (5 April 2017)

(Endorsed by the EDPB)

The General Data Protection Regulation (‘GDPR’), due to come into effect on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts.

The concept of DPO is not new. Although Directive 95/46/EC did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years.

Before the adoption of the GDPR, the WP29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessments and carrying out or facilitating audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.

The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.

The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States. The WP29 will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Lien

Retour au sommaire
arrow_back Previous Article Article 39 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 39 Next Article arrow_forward
Regulation
1e 2e

Art. 39

1.   The data protection officer shall have at least the following tasks:

a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

d) to cooperate with the supervisory authority;

e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

2.   The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
1st proposal close

Art. 37

1.           The controller or the processor shall entrust the data protection officer at least with the following tasks:

(a)     to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;

(b)     to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;

(c)     to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;

(d)     to ensure that the documentation referred to in Article 28 is maintained;

(e)     to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;

(f)      to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;

(g)     to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer’s own initiative;

(h)     to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.           

2.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.

 
2nd proposal close

Art. 37

1. The (...) data protection officer (...) shall have the following tasks:

(a) to inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to this Regulation and other Union or Member State data protection provisions (...);

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations, and the related audits;

(c) (...)

(d) (...)

(e) (...)

(f) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 33;

(g) to monitor responses to requests from the supervisory authority and, within the sphere of the data protection officer's competence, to co-operate with the supervisory authority at the latter's request or on the data protection officer’s own initiative;

(h) to act as the contact point for the supervisory authority on issues related to the processing of personal data, including the prior consultation referred to in Article 34, and consult, as appropriate, on any other matter.

2. (...)

2a. The data protection officer shall in the performance his or her tasks have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
Directive close

Art. 18

1. Member States shall provide that the controller or his representative, if any, must notify the supervisory authority referred to in Article 28 before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.

2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions:

- where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or

- where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

3. Member States may provide that paragraph 1 does not apply to processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest.

4. Member States may provide for an exemption from the obligation to notify or a simplification of the notification in the case of processing operations referred to in Article 8 (2) (d).

5. Member States may stipulate that certain or all non-automatic processing operations involving personal data shall be notified, or provide for these processing operations to be subject to simplified notification.
Sweden
compare_arrows

Switzerland close

DSG Art. 26b Andere Beschäftigung
Der Bundesrat kann dem Beauftragten gestatten, eine andere Beschäftigung auszuüben,
wenn dadurch dessen Unabhängigkeit und dessen Ansehen nicht beeinträchtigt
werden.

DSG Art. 27 Aufsicht über Bundesorgane
1 Der Beauftragte überwacht die Einhaltung dieses Gesetzes und der übrigen Datenschutzvorschriften
des Bundes durch die Bundesorgane. Der Bundesrat ist von dieser Aufsicht ausgenommen.
2 Der Beauftragte klärt von sich aus oder auf Meldung Dritter hin den Sachverhalt näher ab.
3 Bei der Abklärung kann er Akten herausverlangen, Auskünfte einholen und sich
Datenbearbeitungen vorführen lassen. Die Bundesorgane müssen an der Feststellung
des Sachverhaltes mitwirken. Das Zeugnisverweigerungsrecht nach Artikel 16 des
Verwaltungsverfahrensgesetzes gilt sinngemäss.
4 Ergibt die Abklärung, dass Datenschutzvorschriften verletzt werden, so empfiehlt
der Beauftragte dem verantwortlichen Bundesorgan, das Bearbeiten zu ändern oder
zu unterlassen. Er orientiert das zuständige Departement oder die Bundeskanzlei
über seine Empfehlung.
5 Wird eine Empfehlung nicht befolgt oder abgelehnt, so kann er die Angelegenheit
dem Departement oder der Bundeskanzlei zum Entscheid vorlegen. Der Entscheid
wird den betroffenen Personen in Form einer Verfügung mitgeteilt.
6 Der Beauftragte ist berechtigt, gegen die Verfügung nach Absatz 5 und gegen den
Entscheid der Beschwerdebehörde Beschwerde zu führen.

DSG Art. 28 Beratung Privater
Der Beauftragte berät private Personen in Fragen des Datenschutzes.

DSG Art. 29 Abklärungen und Empfehlungen im Privatrechtsbereich
1 Der Beauftragte klärt von sich aus oder auf Meldung Dritter hin den Sachverhalt
näher ab, wenn:
a. Bearbeitungsmethoden geeignet sind, die Persönlichkeit einer grösseren Anzahl
von Personen zu verletzen (Systemfehler);
b. Datensammlungen registriert werden müssen (Art. 11a);
c. eine Informationspflicht nach Artikel 6 Absatz 3 besteht.
2 Er kann dabei Akten herausverlangen, Auskünfte einholen und sich Datenbearbeitungen
vorführen lassen. Das Zeugnisverweigerungsrecht nach Artikel 16 des Verwaltungsverfahrensgesetzes
gilt sinngemäss.
3 Der Beauftragte kann aufgrund seiner Abklärungen empfehlen, das Bearbeiten zu
ändern oder zu unterlassen.
4 Wird eine solche Empfehlung des Beauftragten nicht befolgt oder abgelehnt, so
kann er die Angelegenheit dem Bundesverwaltungsgericht zum Entscheid vorlegen.
Er ist berechtigt, gegen diesen Entscheid Beschwerde zu führen.

DSG Art. 30 Information
1 Der Beauftragte erstattet der Bundesversammlung periodisch sowie nach Bedarf
Bericht. Er übermittelt den Bericht gleichzeitig dem Bundesrat. Die periodischen
Berichte werden veröffentlicht.
2 In Fällen von allgemeinem Interesse kann er die Öffentlichkeit über seine Feststellungen
und Empfehlungen informieren. Personendaten, die dem Amtsgeheimnis
unterstehen, darf er nur mit Zustimmung der zuständigen Behörde veröffentlichen.
Verweigert diese die Zustimmung, so entscheidet der Präsident der auf dem Gebiet
des Datenschutzes zuständigen Abteilung des Bundesverwaltungsgerichts endgültig.

DSG Art. 31 Weitere Aufgaben
1 Der Beauftragte hat insbesondere folgende weiteren Aufgaben:
a. Er unterstützt Organe des Bundes und der Kantone in Fragen des Datenschutzes.
b. Er nimmt Stellung zu Vorlagen über Erlasse und Massnahmen des Bundes,
die für den Datenschutz erheblich sind.
c. Er arbeitet mit in- und ausländischen Datenschutzbehörden zusammen.
d. Er begutachtet, inwieweit die Datenschutzgesetzgebung im Ausland einen
angemessenen Schutz gewährleistet.
e. Er prüft die ihm nach Artikel 6 Absatz 3 gemeldeten Garantien und Datenschutzregeln.
f. Er prüft die Zertifizierungsverfahren nach Artikel 11 und kann dazu Empfehlungen
nach Artikel 27 Absatz 4 oder 29 Absatz 3 abgeben.
g. Er nimmt die ihm durch das Öffentlichkeitsgesetz vom 17. Dezember 2004
übertragenen Aufgaben wahr.
2 Er kann Organe der Bundesverwaltung auch dann beraten, wenn dieses Gesetz
nach Artikel 2 Absatz 2 Buchstaben c und d nicht anwendbar ist. Die Organe der
Bundesverwaltung können ihm Einblick in ihre Geschäfte gewähren.
arrow_back Previous ArticleArticle 39 Next Article arrow_forward
close

2016 - www.itiplaw.eu.