Article 37 of the GDPR states that the Controller and the Processor must designate a data protection officer (hereinafter referred to as DPO) in the following cases-
- The processing is carried out by a public authority or body (except courts acting in judicial capacity);
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, purposes require regular and systematic monitoring of data subjects on a large scale;
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data as precisely mentioned under section 9 and 10 or the regulation.
Now the question arises that can a single DPO be appointed for a group of undertakings?
Article 37 clarifies this and states that a group of undertaking may appoint a single DPO however, the DPO should be easily accessible from each establishment. In cases where the controller and processor is a public authority/body, a single DPO may be designated for several such authorities/bodies taking account of their organisational structure and size.
The DPO must be designated on the basis of professional qualities and particularly must be an expert and should have a knowledge of data protection laws and practices and has the ability to fulfil the tasks as specified under article 39.
A DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of service contract. Article 37 mandates the controller and processor to publish the contact details of the DPO and communicate them to the Supervisory Authority.
Position of the Data Protection Officer
The position of DPO is a very important one and article 38 states that the controller and the processor must ensure that the DPO is involved, properly and in timely manner, in all issues related to the protection of personal data.
The controller and the processor must support the DPO in performing the task and must provide necessary resources to carry out the tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. Article 38 further provides that the data subject may contact the DPO with regard to all the issues related to processing of their personal data and to the exercise of their rights under GDPR.
The DPO is bound by secrecy or confidentiality concerning the performance of his/her tasks, in accordance with union or member state law. The DPO may fulfil other tasks and duties. It is the duty of the controller or processor to ensure that the tasks and duties do not result in a conflict of interests.
Picture Credit- https://www.kirkpatrickprice.com/