Home
Global
Contact
29 March 2018
According to Recital 4 GDPR, the right to the protection of personal data is not an absolute right. It must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
This also applies to the understanding of the tasks and role of the Data Protection Officer in an organisation – a new function introduced by the General Data Protection Regulation (GDPR).
Article 37 of the GDPR lists the situations where the data controller and the processor (on behalf of the controller) must designate a DPO and the failure to designate one is subject to an administrative fine. The DPO is mandatory where:
Most enterprises operating in Poland and the EU will not need to designate a data protection officer. In many, the role will be optional, so it is worth knowing the benefits.
Beyond doubt, as a watchman of data protection processes a DPO in every organisation will be responsible not only for the observance of the GDPR but also for the compliance of the enterprise's activities and functioning with other data protection laws. A DPO will not only safeguard the protection of data processed by the controller or processor. His duties will include regular in-house audits to obtain information on personal data processing and reveal any irregularities in the organisation. The function may be performed by a member of the controller's or the processor's staff or by a third party professional who, in addition to safeguarding the data processing, will also be able to check other processes in the organisation (e.g. financial, IT, logistics).
Does it make sense to appoint a data protection officer if the law does not require it? Will the DPO indeed be entitled to take other actions in addition to personal data protection?
The Article 29 Working Party is an independent advisory body established on the basis of Article 29 of Directive 95/46/EC. The Working Party's guidelines say clearly that a data protection officer may facilitate compliance and help increase the enterprise's competitiveness. The DPO is to ensure compliance by means of accountability mechanisms and to liaise among all interested parties (e.g. data protection authority, data subjects and enterprise departments).
One of the good practices promoted by the Working Party is to designate a DPO to supervise the activities of entities towards which the processor is a data controller (e.g. providers of HR, IT, logistics services contracted by the data controller).
This suggests that the role and tasks of the DPO do not boil down to safeguarding the controller's (or processor's) compliance with the GDPR and other rules and regulations on data protection, but extend also to other actions to monitor processes in an organisation.
Following Article 38(6) of the GDPR, the Article 29 Working Party explains that a Data Protection Officer, who e.g. belongs to the organisation, may fulfil other tasks and duties, but they must not result in a conflict of interests. They emphasise that a Data Protection Officer may not occupy a role in which he defines the methods and purposes of data processing.
Consequently, on one hand, a DPO is deeply embedded in the GDPR realm, but on the other hand (especially while undertaking other tasks for the controller or processor) he operates outside the GDPR and the DPO's activities may help to e.g. increase business efficiency of the controller or administrator to improve their competitive edge.
Jarosław Kamiński
Attorney at law (Poland)
Associate Partner
Send inquiry
Profile
