DPO (Data Protection Officer)

DPO (Data Protection Officer), defined by the GDPR, is a person who has the role or position of coordinator in matters of personal data protection, works for data controller or data processor and is a contact person for communicating with supervisory authorities. který má roli nebo pozici koordinátora ochrany osobních údajů u

What are the responsibilities and competencies of the DPO?

The DPO’s duties and tasks are specified in the Regulation. His / her main responsibility is to monitor, analyze and control compliance with the Regulation and then provide the data controller and data processor with advice and recommendations. He or she has an advisory role when carrying out a data protection impact assessment. The DPO also cooperates with the Supervisory Authority.

• supervising the personal data processing carried out by the controller or processor
• advising on the impact of new processing activities on the protection of personal data
• monitoring the GDPR compliance of ongoing personal data processing activities
• cooperation with supervisory authorities

What is the relation between data controller and the DPO?

The DPO can be both outsourced (contractor) or employed by the data controller (or processor). One DPO may work for several organizations. The obligation to appoint a DPO arises in the following cases:

• when the processing of personal data is the principal activity of the controller or processor
• when the data processing is carried out by a public authority or a public body
• the main activities of the controller or processor consist in processing operations that require extensive, regular and systematic monitoring of data subjects
• the main activities of the controller or processor consist in the extensive processing of specific categories of data or judgments in criminal matters and offenses

The position of the DPO is independent. The controller (or processor) must provide him / her with all his / her support in form of co-operation, can not give him / her any instructions regarding the performance of his / her duties and tasks and can not dismiss or sanction him / her for the reasons of carrying out the DPO’s duties.

What qualifications should have the DPO?

The Regulation defines the requirements for DPO’s qualifications only very broadly and does not stipulate any requirements in terms of legal (or other) qualifications. However, the DPO should be knowledgeable about the personal data processing, information security, law and information technology. The DPO must have a deep understanding and a vast knowledge of the whole Regulation.

The DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article39.”

What are the DPO’s responsibilities?

As for the personal responsibility, the DPO shall not be liable for non-compliance with the GDPR Regulation in the organization(s) where he / she is performing the function. The entire responsibility lays with the data controller (or processor).