readenglishbook.com » Law » GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗

Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali



1 ... 15 16 17 18 19 20 21 22 23 ... 71
Go to page:
professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.” The GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.

The appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed.

For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.

Relevant skills and expertise include: expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR; understanding of the processing operations carried out; understanding of information technologies and data security; knowledge of the business sector and the organisation; and ability to promote a data protection culture within the organisation. For example, a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.

Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should proactively decide on the qualifications and level of training required for their Data Protection Officer. In undertaking such an assessment, organisations should be aware that there are various training options that may be pursued. Some training courses are one-day sessions, while some are online only. Others lead to academically accredited certificates such as diplomas from national law societies. There are also other professional training programmes, which are recognised internationally, and that offer professional qualifications that require an ongoing commitment to training in order to maintain the professional qualification. The Data Protection Commissioner recommends that the following non-exhaustive list of factors be taken into consideration when selecting the appropriate DPO training programme:

The content and means of the training and assessment;

Whether training leading to certification is required;

The standing of the accrediting body; and

Whether the training and certification is recognised internationally.

In any case, a Data Protection Officer should have an appropriate level of expertise in data protection law and practices to enable them to carry out their critical role.

Conflict of Interests

It is important to take into account that while a DPO is permitted to fulfill other tasks and duties, the organisation is required to ensure that any such tasks and duties do not result in a conflict of interests. This is essential to protecting the independence of the DPO. In particular, it means that a DPO cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed. While each organisational structure should be considered case by case, as a rule of thumb, conflicting positions within an organisation may include senior management positions such as chief executive, chief operating/financial/medical officer, head of HR or head of IT. The WP29 guidelines address this matter in further detail.

Publication and communication of the DPO’s contact details

Organisations will be required by the GDPR to publish contact details of the DPO and to communicate these details to the relevant data protection authority. The purpose of this requirement is to ensure that individuals (internal and external to the organisation) and the data protection authority can easily and directly contact the DPO without having to contact another part of the organisation.

Section 5: Codes of conduct and certification Art. 40 GDPR Codes of conduct

The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

Fair and transparent processing;

The legitimate interests pursued by controllers in specific contexts;

The collection of personal data;

The Pseudonymisation of personal data;

The information provided to the public and to data subjects;

The exercise of the rights of data subjects;

The information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

The measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

The notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

The transfer of personal data to third countries or international organisations; or

Out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority, which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

The Commission shall ensure appropriate publicity for the approved codes, which have been decided as having general validity in accordance with paragraph 9.

The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Suitable Recitals

Preparation of codes of conduct by organisations and associations; (99) Consultation of stakeholders and data subjects in the development of codes of conduct.



COMMENTARY:

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

The specific needs of micro, small and medium sized enterprises must be taken into account.

Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.

Adhering to codes of conduct and certification schemes brings a number of benefits over and above demonstrating that you comply. It can:

improve transparency and accountability - enabling individuals to distinguish the organisations that meet the requirements of the law and they can trust with their personal data.

provide mitigation against enforcement action; and

improve standards by establishing best practice.

When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.

Who is responsible for drawing up codes of conduct?

Governments and regulators can encourage the drawing up of codes of conduct.

Codes of conduct may be created by trade associations or representative bodies.

Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99).

Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).

Existing codes can be amended or extended to comply with the requirements under the GDPR.

What will codes of conduct address?

Codes of conduct should help you comply with the law, and may cover topics such as:

fair and transparent processing;

legitimate interests pursued by controllers in specific contexts;

the collection of personal data;

the Pseudonymisation of personal data;

the information provided to individuals and the exercise of individuals’ rights;

the information provided to and the protection of children (including mechanisms for obtaining parental consent);

technical and organisational measures, including data protection by design and by default and security measures;

breach notification;

data transfers outside the EU; or

dispute resolution procedures.

What are the practical implications?

If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority. If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 per cent of your global turnover. Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.

Who is responsible for certification mechanisms?

Member states, supervisory authorities, the EDPB or the Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation. Certification will be issued by supervisory authorities or accredited certification bodies.

What is the purpose of a certification mechanism?

A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organisational measures. A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers. They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.

What are the practical implications?

Certification does not reduce your data protection responsibilities. You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure. Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification, and the supervisory authority will be notified. If you fail to adhere to the standards of the certification scheme, you risk being subject to an administrative fine of up to 10 million Euros or 2 per cent of your global turnover.

Under Articles 40 and 41 of the GDPR, codes of conduct are explicitly recognized and encouraged as a way to meet security requirements. Article 32(3) (Security of

Processing) states that “adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.”


Art. 41 GDPR Monitoring of approved codes of conduct

Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:

demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;

established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;

established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.

The competent supervisory authority shall submit the draft requirements for accreditation

1 ... 15 16 17 18 19 20 21 22 23 ... 71
Go to page:

Free e-book «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment