GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
The terms “public authority or body”, “core activities”, “large scale” and “regular and systematic monitoring” aren’t defined in the GDPR, so the WP29 offers its interpretation and guidance on their meaning. The WP29 considers that such a notion “public authority or body” is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law.
‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. Regular and systematic monitoring of data subjects clearly includes all forms of tracking and profiling on the Internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment. Factors to be considered when deciding whether processing is “large scale” include the number of data subjects, the volume & range of data, duration of data processing and geographical extent of data processing. A simple example given is the processing of healthcare related data by an individual doctor (not large scale), or by a hospital (large scale).
The WP29 goes on to recommend that, unless a DPO is obviously not required, controllers and processors should document the analysis and process leading to their decisions whether or not to appoint a DPO. DPOs may be appointed on a voluntary basis, but where they are, the same GDPR requirements regarding their designation, role and tasks will apply as to mandatory DPO appointments. Therefore, where organisations don’t appoint a DPO but do, as they may, assign data protection related tasks to their staff or external consultants, it should be made clear internally and externally that such staff or consultants are not DPOs.
The GDPR provides that DPOs “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks set out in the Regulation”. There is no particular
qualification or certification specified in the Regulation, but the WP29 considers the necessary skills and expertise to include:
Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
Understanding of the processing operations carried out;
Understanding of information technologies and data security; knowledge of the business sector and the organisation;
Ability to promote a data protection culture within the organisation.
The role of the DPO may be contracted out to an external service provider and, where it is, the DPO may be a natural person or a legal person (e.g., a limited company). In the latter case, the WP29 recommends that for reasons of legal clarity and good organisation, the contractor should designate a named person as the lead contact for the client.
The DPO does not necessarily have to be a full time role, but as the WP29 put it, “the DPO’s primary concern should be enabling compliance with the GDPR” and “having sufficient time to devote to DPO tasks is paramount”. Where DPOs have other duties, these cannot be incompatible with their DPO functions. Examples given by the WP29 of roles, which would conflict with the DPO's duties include:
Chief Executive Officer;
Chief Operating Officer;
Chief Financial Officer;
Chief Medical Officer;
Head of Marketing;
Head of Human Resources;
Head of IT.
Art. 38 GDPR Position of the data protection officer
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues, which relate to the protection of personal data.
The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his
tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Suitable Recitals
(97) Data protection officer.
COMMENTARY:
Article 38 imposes on the controller or the processor a series of obligations to allow the latter to undertake the tasks provided for in Article 39. So, the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues, which relate to the protection of personal data. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
It is the responsibility of the controller or the processor to ensure the independence of the data protection officer in the performance of his or her tasks. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38 (5)). The final version of the Regulation states further that data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights (sees Article 38 (4)). Finally, the data protection officer may fulfill other tasks and duties, the controller and the processor being required to ensure that any such tasks and duties do not result in a conflict of interests.
The Directive did not say much as to the functions of the data protection officer: according to article 18, his or her task was to ensure that processing operations do not affect the rights and freedoms of the data subjects, by ensuring, in an independent way, the compliance of the processing with the national provisions
transposing the Directive. In particular, the data protection officer had to maintain records of the processing carried out by the controller, that had to contain information that were subject to notification to the competent national supervisory authority, in accordance with article 21 (2) of the Directive.
Art. 39 GDPR Tasks of the data protection officer
The data protection officer shall have at least the following tasks:
To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
To cooperate with the supervisory authority;
To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Suitable Recitals
Data protection officer.
COMMENTARY:
Data Protection Officer
The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation). The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.
The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will
be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.
A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
Who needs a DPO?
All public authorities and bodies, including government departments.
Where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
Where the core activities of the organisation consist of special categories of data (i.e. health data) or personal data relating to criminal convictions or offences.
Public Authority or Body?
Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law. It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO. Core activities can be defined as the key operations necessary to achieve an organisation’s (controller or processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities.
Large-scale processing
While the GDPR does not define large-scale the following factors should be taken into consideration;
The number of individuals (data subjects) concerned – either as a specific number or as a proportion of the relevant population
The volume of data and/or the range of different data items being processed
The duration, or permanence, of the data processing activity
The geographical extent of the processing activity
Examples of large-scale processing include:
Processing of patient data in the regular course of business by a hospital
Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these
services
Processing of customer data in the regular course of business by an insurance company or a bank
Processing of personal data for behavioural advertising by a search engine
Processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
Processing of patient data by an individual doctor
Processing of personal data relating to criminal convictions and offences by an individual lawyer
Regular and systematic monitoring
Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the Internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.
‘Regular’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one or more of the following:
Ongoing or occurring at particular intervals for a particular period
Recurring or repeated at fixed times
‘Systematic’ is interpreted as meaning one or more of the following:
Occurring according to a system
Pre-arranged, organised or methodical
Taking place as part of a general plan for data collection
Carried out as part of a strategy
Examples would likely include operating a telecommunications network; data driven marketing activities; profiling and scoring for purposes of risk assessment (eg fraud, credit scoring, insurance premiums); loyalty programmes, CCTV, and connected devices (eg smart cars)
Special Categories of Data
These include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences.
Further information and guidance
Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In particular, these guidelines set out the position of the EU’s data protection authorities on matters such as:
Designation of a single DPO for several organisations
Expertise and skills of the DPO
Role, tasks, responsibilities and independence of the DPO
Resources that should be provided to a DPO to carry out their tasks
Qualifications
Article 37.5 of the GDPR provides that a Data Protection Officer “shall be designated on the basis of
Comments (0)