Upload
trinhbao
View
222
Download
3
Embed Size (px)
Citation preview
TO
PIC
S
2
GDPR overview
Concept of the DPO
Recruitment process
Job description
Liability
Your to do’s: GDPR Responsibility and Budget
BACKGROUND CONSIDERATIONS
3
Entered into force on May 2016, effective from 25 May 2018 and shall be directly applicable to all EU Member States
One of the most wide ranging pieces of legislation passed by the EU in recent years, with new concepts introduced and a wider scope
GDPR OVERVIEW
4
Entered into force on May 2016,
effective from 25 May 2018 and shall
be directly applicable in all EU
Member States
Fines: there are two tiers of
administrative fines:
Up to €10,000,000 or, in the case of
undertakings, 2% of global turnover,
whichever is the higher or
Up to €20,000,000 or, in the case of
undertakings, 4% of global turnover,
whichever is the higher.
Main aspects:
new rights for data subjects, including the right to data portability and the "right to be forgotten" in specific cases
adequate technical and organizational measures
privacy by design and privacy by default
records of processing operations, at the level of each controller and processor
data protection impact assessment, and the prior consultation with the supervisory authority
appointment of the data protection officer ("DPO") - article 37-39
data breach notification within 72 hours
cooperation of the supervisory authorities and one stop shop mechanism, etc.
THE DPO CONCEPT
Key function/position under the GDPR,
mandatory for some entities, voluntary for the
rest, having attached a strict set of rights, duties
and liability prescribed by the GDPR.
Advisor
Responsible for data privacy compliance
Contact person
Trainer
5
RECRUITMENT PROCESS (1)
MANDATORY APPOINTMENT
personal data processing performed by
public authorities or bodies, except for
courts acting in their judicial capacity
entities performing, as core activities,
personal data processing operations
requiring regular and systematic
monitoring of data subjects on a large
scale
entities processing on a large scale, as
core activities of special categories of
data or data related to criminal
convictions and offences
VOLUNTARY APPOINTMENT
possible and even recommended (Art. 29 WP
and the Romanian Data Protection Authority)
for other processing operations as well
Same legal requirements as in the case of
mandatory appointment
6
Main actions:
Assessing whether any of the mandatory
appointment cases is applicable to the
organization
If not, assessing the opportunity of a
voluntary appointment of a DPO
RECRUITMENT PROCESS (2)
Selection criteria
proficient knowledge of data protection law and practices
the ability to fulfil a series of tasks expressly provided by the GDPR, as well as any related operations
necessary for fulfilling such tasks
WP29 Guidance on these criteria:
knowledge of data protection law – expertise in national and European data protection laws and
practices and an in-depth understanding of the GDPR
level of expertise – proportional with the sensitivity, complexity and amount of data processed by an
organization
ability to fulfill tasks - refers both to the knowledge of the DPO and also to its position within the
organization
7
RECRUITMENT PROCESS (3)
Internal DPO vs. External DPO
Conflict of interest issues
Contractual basis
Combination of both internal and external
DPO vs. consultant
DPO appointment in case of a group of
companies
Possible interpretation of the law: a single
DPO may be appointment for all the
companies in the group
Recommendation: Romanian data
controllers should appoint a separate DPO
8
JOB DESCRIPTION (1)
the organization and the employees who carry out
processing activities of their data privacy obligations
Practical insights: training programs, workshops,
request for opinion, participation in the business
meetings (e.g. product development)
organization's GDPR / privacy law / policy compliance
Practical insights: operational audit on a risk based
approach, periodic reporting, workshops, ensuring
permanent compliance of the internal documentation
relevant from a data protection perspective
with the supervisory data protection authority
Practical insights: prepares responses to Authority's
requests, assistance during investigations, authority’s
contact point on any issues regarding the processing
activities performed by the organization
9
Monitors
Informs and advises
Monitors
Cooperates
JOB DESCRIPTION (2)
10
on the data privacy compliance level of the data
controller/data processor
Practical insights: cooperating with relevant persons
in view of ascertaining potential non-compliances,
targeted analyses on the personal data processing
operations, red flags on potential data breach
data processing operations falling under the PIA
obligation, as per art. 35 and 36 GDPR
Practical insights: advising on PIA processes –
establishing responsibilities/competent persons,
determining and sharing tasks, determining monitoring
and auditing plans, organizing consultation process
with the supervisory authority
Runs/coordinates
investigations
PIAs advice
LIABILITY
DPOs are not personally responsible (towards data subjects
and DPAs) in cases of non–compliance with the GDPR
“Accountability principle” – controllers and processors bear
the burden of proof regarding GDPR compliance
An (internal) DPO cannot be dismissed or penalized for
performing its tasks: it may however be dismissed for
reasons other than related to the exercise of its DPO duties
(Art. 29 WP) penalties may take various forms – e.g.
absence or delay of promotion, denial from benefits
that other employees receive
Pay attention to allocation / limitations of liability under
contract (internal and external DPO)
11
YOUR TO DO’S:
GDPR RESPONSIBILITY AND BUDGET
Assign responsibility and budget for data protection
compliance within your organization. Whether or not you
will decide to appoint an internal or external DPO, you
need to establish the ownership for the GDPR
implementation and monitoring, along with the task
allocation for the internal business units.
Recruit a person with an appropriate level of expertise
(see the job requirements for the internal DPO)
Be clear and specific in the job description and the
applicable corporate governance rules to avoid conflict
of interest, and ensure a protected employment status
which will apply to DPO under the GDPR.
Consider reporting lines – supervisory authorities will
expect a line direct to the board or the CEO
Consider the rules for internal collaboration
12
THANK YOU FOR YOUR ATTENTION!
13
Maria Maxim
Partner
WOLF THEISS
Bucharest Corporate Center Building
58-60 Gheorghe Polizu St., 13th floor
Bucharest
Tel. +40 21 308 8100