DATA PROTECTION OFFICER (DPO)

Maria Maxim

Partner

Bucharest

October 25, 2017

TO

PIC

S

2

GDPR overview

Concept of the DPO

Recruitment process

Job description

Liability

Your to do’s: GDPR Responsibility and Budget

BACKGROUND CONSIDERATIONS

3

Entered into force on May 2016, effective from 25 May 2018 and shall be directly applicable to all EU Member States

One of the most wide ranging pieces of legislation passed by the EU in recent years, with new concepts introduced and a wider scope

GDPR OVERVIEW

4

Entered into force on May 2016,

effective from 25 May 2018 and shall

be directly applicable in all EU

Member States

Fines: there are two tiers of

administrative fines:

Up to €10,000,000 or, in the case of

undertakings, 2% of global turnover,

whichever is the higher or

Up to €20,000,000 or, in the case of

undertakings, 4% of global turnover,

whichever is the higher.

Main aspects:

new rights for data subjects, including the right to data portability and the "right to be forgotten" in specific cases

adequate technical and organizational measures

privacy by design and privacy by default

records of processing operations, at the level of each controller and processor

data protection impact assessment, and the prior consultation with the supervisory authority

appointment of the data protection officer ("DPO") - article 37-39

data breach notification within 72 hours

cooperation of the supervisory authorities and one stop shop mechanism, etc.

THE DPO CONCEPT

Key function/position under the GDPR,

mandatory for some entities, voluntary for the

rest, having attached a strict set of rights, duties

and liability prescribed by the GDPR.

Advisor

Responsible for data privacy compliance

Contact person

Trainer

5

RECRUITMENT PROCESS (1)

MANDATORY APPOINTMENT

personal data processing performed by

public authorities or bodies, except for

courts acting in their judicial capacity

entities performing, as core activities,

personal data processing operations

requiring regular and systematic

monitoring of data subjects on a large

scale

entities processing on a large scale, as

core activities of special categories of

data or data related to criminal

convictions and offences

VOLUNTARY APPOINTMENT

possible and even recommended (Art. 29 WP

and the Romanian Data Protection Authority)

for other processing operations as well

Same legal requirements as in the case of

mandatory appointment

6

Main actions:

Assessing whether any of the mandatory

appointment cases is applicable to the

organization

If not, assessing the opportunity of a

voluntary appointment of a DPO

RECRUITMENT PROCESS (2)

Selection criteria

proficient knowledge of data protection law and practices

the ability to fulfil a series of tasks expressly provided by the GDPR, as well as any related operations

necessary for fulfilling such tasks

WP29 Guidance on these criteria:

knowledge of data protection law – expertise in national and European data protection laws and

practices and an in-depth understanding of the GDPR

level of expertise – proportional with the sensitivity, complexity and amount of data processed by an

organization

ability to fulfill tasks - refers both to the knowledge of the DPO and also to its position within the

organization

7

RECRUITMENT PROCESS (3)

Internal DPO vs. External DPO

Conflict of interest issues

Contractual basis

Combination of both internal and external

DPO vs. consultant

DPO appointment in case of a group of

companies

Possible interpretation of the law: a single

DPO may be appointment for all the

companies in the group

Recommendation: Romanian data

controllers should appoint a separate DPO

8

JOB DESCRIPTION (1)

the organization and the employees who carry out

processing activities of their data privacy obligations

Practical insights: training programs, workshops,

request for opinion, participation in the business

meetings (e.g. product development)

organization's GDPR / privacy law / policy compliance

Practical insights: operational audit on a risk based

approach, periodic reporting, workshops, ensuring

permanent compliance of the internal documentation

relevant from a data protection perspective

with the supervisory data protection authority

Practical insights: prepares responses to Authority's

requests, assistance during investigations, authority’s

contact point on any issues regarding the processing

activities performed by the organization

9

Monitors

Informs and advises

Monitors

Cooperates

JOB DESCRIPTION (2)

10

on the data privacy compliance level of the data

controller/data processor

Practical insights: cooperating with relevant persons

in view of ascertaining potential non-compliances,

targeted analyses on the personal data processing

operations, red flags on potential data breach

data processing operations falling under the PIA

obligation, as per art. 35 and 36 GDPR

Practical insights: advising on PIA processes –

establishing responsibilities/competent persons,

determining and sharing tasks, determining monitoring

and auditing plans, organizing consultation process

with the supervisory authority

Runs/coordinates

investigations

PIAs advice

LIABILITY

DPOs are not personally responsible (towards data subjects

and DPAs) in cases of non–compliance with the GDPR

“Accountability principle” – controllers and processors bear

the burden of proof regarding GDPR compliance

An (internal) DPO cannot be dismissed or penalized for

performing its tasks: it may however be dismissed for

reasons other than related to the exercise of its DPO duties

(Art. 29 WP) penalties may take various forms – e.g.

absence or delay of promotion, denial from benefits

that other employees receive

Pay attention to allocation / limitations of liability under

contract (internal and external DPO)

11

YOUR TO DO’S:

GDPR RESPONSIBILITY AND BUDGET

Assign responsibility and budget for data protection

compliance within your organization. Whether or not you

will decide to appoint an internal or external DPO, you

need to establish the ownership for the GDPR

implementation and monitoring, along with the task

allocation for the internal business units.

Recruit a person with an appropriate level of expertise

(see the job requirements for the internal DPO)

Be clear and specific in the job description and the

applicable corporate governance rules to avoid conflict

of interest, and ensure a protected employment status

which will apply to DPO under the GDPR.

Consider reporting lines – supervisory authorities will

expect a line direct to the board or the CEO

Consider the rules for internal collaboration

12

THANK YOU FOR YOUR ATTENTION!

13

Maria Maxim

Partner

WOLF THEISS

Bucharest Corporate Center Building

58-60 Gheorghe Polizu St., 13th floor

Bucharest

Tel. +40 21 308 8100

maria.maxim@wolftheiss.com