DPO – Data Protection Officer
A Data Protection Officer always at your company’s disposal
An expert always at your company’s disposal who can guarantee security and compliance? Our Data Protection Officer (DPO) service allows you to have a highly specialised and up-to-date professional always at your disposal to advise you on the training and updates available for your employees. We guarantee the necessary security to prevent any risks connected to a data breach, as well as supporting you with fulfilling all obligations imposed by European legislation and with assessing any changes in production processes that may impact compliance with the General Data Protection Regulations.
Who is the Data Protection Officer?
Among the innovations introduced by the General Data Protection Regulation (better known as the GDPR) No. 2016/679, there is also the appointment of the Data Protection Officer (also referred to using the initials DPO). Authorities and public bodies must necessarily appoint a Data Protection Officer. This does not include legal authorities performing judicial functions, as well as all the subjects (institutions and companies) that process sensitive data on a large scale during their main activities – relating to health or sexual life, genetic, judicial and biometric – or who carry out activities in which the processing requires the regular and systematic monitoring of the data subjects (this includes, for example, telecommunications operators, operators who perform profiling for behavioural marketing purposes, app localisation activities, health status monitoring via wearable and interconnected devices, so-called wearable devices, loyalty programmes, etc. etc.). The Data Protection Officer is the person who, within a company, whether public or private, observes, evaluates and regulates the management of the processing of personal data, guaranteeing treatment that is compliant with European and national privacy legislation. In the new legal order, the Data Protection Officer constitutes a fundamental element since, by acting as an intermediary between the various parties involved, it favours growth and competitive development between companies, ensuring full compliance with the provisions of the GDPR.
Data Protection Officer’s tasks
Article 39 of the EU Regulation No. 2016/679 provides a non-exhaustive list of the tasks assigned to the DPO. In particular, each DPO must:
- “inform and advise the data controller or data processor as well as the employees who carry out the processing regarding the obligations deriving from the EU Regulation No. 2016/679, but also other provisions of the Union or of the Member States concerning data protection
- monitor compliance with the above-mentioned Regulation, by other EU or Member State provisions concerning data protection, as well as the policies of the data controller or data processor regarding protection of personal data. These include allocating data responsibilities, awareness, and the training of personnel involved in handling and related control activities
- provide, if requested, an opinion on the impact assessment on data protection and monitor its performance in accordance with Art. 35
- cooperate with the supervisory authority
- act as the point of contact for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and consult, where appropriate, with regard to any other matter.
In carrying out their duties, the Data Protection Officer must consider the risks associated with processing, taking into account the nature, scope, context and purpose of it. »
Data Protection Officer. Professional tasks and qualities
The EU Regulation No. 2016/679 does not provide a list of the professional qualities that each Data Protection Officer must possess to perform this role. However, adequate knowledge of the relevant legislation as well as national and European practices in the field of data protection and constant updating on related issues, are to be considered relevant and necessary for the performance of their tasks. The mastery of the skills achieved in the sector and a good familiarity with the processing operations carried out – as well as the information systems and the security and data protection need expressed by the owner – are also fundamental. INSIDE will provide you with the ideal DPO, through an independent and autonomous senior officer. This is adequately trained, possessing an effective and in-depth knowledge of privacy legislation and operational practices. The appointment of a Data Protection Officer:
- is not a mere formality but must take place effectively and concretely
- must be appropriate to the legal-organisational context of the company
- must relate to an independent and autonomous subject who will not have to fulfil other roles within the same company
- must guarantee the protection of corporate security.
GDPR – Sanctions
The General Data Protection Regulation introduces penalties and fines. In order to identify the sanction to be applied, a series of factors will be taken into consideration. These include the gravity, the duration of the violation, the number of interested parties, the level of damage suffered, the intentional nature of the infringement, all the actions taken to mitigate the damage and the degree of cooperation with the supervisory authority. If the rules are not respected, the Regulation identifies two ceilings for fines. The first limit provides for fines up to a maximum of 10 million Euro, or, in the case of an obligation, up to 2% of the annual worldwide turnover. This first category of fine would be applied by the controllers in the case of impact assessments, as required by the Regulation. The maximum of the fines reaches a maximum of 20 million Euro or 4% of the annual worldwide turnover.