Data protection officer (DPO) under the GDPR

Designating a data protection officer (DPO) is one of the statutory obligations on the controller and the processor in some particular circumstances according to the EU’s General Data Protection Regulation (GDPR). Here is an overview of GDPR regulations on DPO that enterprises and organisations can refer to, in the context that Decree No.13/2023/ND-CP does not specify this obligation.

Which subjects must designate a DPO?

Both the controller and the processor shall be under the obligation to designate DPO if they are in statutory cases that require a DPO assigned or where required by Union or Member State[1].

In which cases must a DPO be designated?

The controller and the processor shall designate a DPO in the following case[2]:

• (i) The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
• (ii) The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
• (iii) The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
• (iv) Where required by Union or Member State law.

What are the required qualifications for a DPO?

GDPR does not prescribe a quantitative standard for enterprises and organizations to designate DPO, instead, the subjects shall appoint a DPO according to statutory factors, including professional qualities; expert knowledge of data protection law and practices; ability to fulfil the DPO’s tasks stipulated in Article 39 of GDPR[3],[4]. The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor[5].

How many DPOs are required for each business?

Each enterprise and organization in cases where required shall need at least 01 DPO. Besides, a group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.

Which resources can DPO be designated from?

A DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

In case the DPO is an employee of the controller or the processor, the following specific principles are required to apply:

• (i) DPO shall not be dismissed or penalised by the controller or the processor for performing his tasks[6].
• (ii) DPO may fulfil other tasks and duties, along with data protection; The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests[7].
• (iii) DPO should be in a position to perform their duties and tasks in an independent manner[8].

Is it mandatory to communicate the information of DPO with the authorities?

Yes. Enterprises and organizations must communicate the contact details of the DPO to the supervisory authority. Additionally, the controller and the processor must publish such information so that data subjects can contact in need[9].

What are the responsibilities of the controller and the processor towards DPO?

To ensure the effectiveness of the DPO’s activities, enterprises and organizations need to adhere to the following responsibilities:

• (i) To ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data[10].
• (ii) To support the DPO in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge[11].
• (iii) To ensure that the DPO does not receive any instructions regarding the exercise of their tasks[12].
• (iv) To enable data subjects to contact DPO directly with regard to all issues related to the processing of their personal data and to the exercise of their rights under GDPR[13].

What are the statutory tasks of the DPO?

The data protection officer shall have at least the following tasks[14]:

• (i) To inform and advise the controller or the processor and the employees of their obligations pursuant to GDPR and other laws.
• (ii) To monitor compliance with GDPR, other Union or Member State data protection provisions and the policies of the controller or processor in relation to the protection of personal data.
• (iii) To provide advice where requested as regards the data protection impact assessment and monitor its performance.
• (iv) To cooperate with and act as the contact point for the supervisory authority on issues relating to personal data protection.

Throughout his or her performance, the DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State laws[15].

Are there any risks if enterprises fail to comply with the regulations on the DPO?

The intentional or negligent violation of DPO regulations from enterprises and organizations which are under the scope of GDPR shall be subject to administrative fines up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [16]./.

PrivacyCompliance

#GDPR #personaldata #DPO #sensitivepersonaldata #dataprotectionofficer

[1] GDPR, Article 37.1

[2] GDPR, Article 37.1 và 37.4

[3] GDPR, Article 37.5,

[4] Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

[5] GDPR, Recital 97

[6] GDPR, Article 38.3

[7] GDPR, Article 38.6

[8] GDPR, Recital 97

[9] GDPR, Article 37.7

[10] GDPR, Article 38.1

[11] GDPR, Article 38.2

[12] GDPR, Article 38.3

[13] GDPR, Article 38.4

[14] GDPR, Article 39

[15] GDPR, Article 38.5

[16] GDPR, Article 83.4