Article 39
Tasks of the data protection officer
There is no recital in the Regulation related to article 39.
There is no recital in the Directive related to article 39.
Regulation
Art. 39 1. The data protection officer shall have at least the following tasks: a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; d) to cooperate with the supervisory authority; e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. |
Directive
Art. 18 1. Member States shall provide that the controller or his representative, if any, must notify the supervisory authority referred to in Article 28 before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes. 2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions: - where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or - where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular: - for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive - for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2), thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. 3. Member States may provide that paragraph 1 does not apply to processing whose sole purpose is the keeping of a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest. 4. Member States may provide for an exemption from the obligation to notify or a simplification of the notification in the case of processing operations referred to in Article 8 (2) (d). 5. Member States may stipulate that certain or all non-automatic processing operations involving personal data shall be notified, or provide for these processing operations to be subject to simplified notification. |
Austria
Data protection officer § 5 DSG (1) Without prejudice to other obligations of confidentiality, the data protection officer and the persons working for the data protection officer shall be bound by confidentiality when fulfilling their duties. This shall apply in particular in relation to the identity of data subjects who applied to the data protection officer, and to circumstances that allow identification of these persons, unless the data subject has expressly granted a release from confidentiality. The data protection officer and the persons working for the data protection officer may exclusively use information made available to fulfil their duties and shall be bound by confidentiality even after the end of their activities. (2) If, during his or her activities, a data protection officer obtains knowledge of data in respect of which a person employed with a body subject to the supervision of the data protection officer has a statutory right to refuse to give evidence, the data protection officer and the persons working for the data protection officers shall also have such a right to the extent to which the person who has the right to refuse to give evidence exercised that right. The files and other documents of the data protection officer are subject to a prohibition of seizure and confiscation to the extent of the right of the data protection officer to refuse to give evidence. (3) Public-sector data protection officers (instituted in legal form under public law, in particular also as an organ of a regional authority) are not bound by any instructions when exercising their duties. The highest governing bodies or officers have the right to obtain information on matters to be dealt with from a public-sector data protection officer. The data protection officer shall provide information only insofar as the independence of the data protection officer as described in Article 38 para. 3 of the General Data Protection Regulation is not impaired by doing so. (4) Considering the type and scope of data processing activities and depending on the facilities of a federal ministry, one or several data protection officers shall be appointed in the sphere of responsibilities of each federal ministry. These data protection officers shall be employed by the relevant federal ministry or the relevant subordinate office or other entity. (5) Public-sector data protection officers pursuant to para. 4 shall regularly exchange information, in particular with regard to ensuring uniform data protection standards. Confidentiality of data § 6 (1) The controller, the processor and their employees, i.e. employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data). (2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor. [...] |