November 8, 2023
Designating a data protection officer (DPO) is one of the statutory obligations on the controller and the processor in some particular circumstances according to the EU’s General Data Protection Regulation (GDPR). Here is an overview of GDPR regulations on DPO that enterprises and organisations can refer to, in the context that Decree No.13/2023/ND-CP does not specify this obligation.
Both the controller and the processor shall be under the obligation to designate DPO if they are in statutory cases that require a DPO assigned or where required by Union or Member State[1].
The controller and the processor shall designate a DPO in the following case[2]:
GDPR does not prescribe a quantitative standard for enterprises and organizations to designate DPO, instead, the subjects shall appoint a DPO according to statutory factors, including professional qualities; expert knowledge of data protection law and practices; ability to fulfil the DPO’s tasks stipulated in Article 39 of GDPR[3],[4]. The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor[5].
Each enterprise and organization in cases where required shall need at least 01 DPO. Besides, a group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.
A DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
In case the DPO is an employee of the controller or the processor, the following specific principles are required to apply:
Yes. Enterprises and organizations must communicate the contact details of the DPO to the supervisory authority. Additionally, the controller and the processor must publish such information so that data subjects can contact in need[9].
To ensure the effectiveness of the DPO’s activities, enterprises and organizations need to adhere to the following responsibilities:
The data protection officer shall have at least the following tasks[14]:
Throughout his or her performance, the DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State laws[15].
The intentional or negligent violation of DPO regulations from enterprises and organizations which are under the scope of GDPR shall be subject to administrative fines up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [16]./.
PrivacyCompliance provides solutions related to ensuring compliance with personal data, assessing the impacts of personal data processing, and DPO service. |
PrivacyCompliance
#GDPR #personaldata #DPO #sensitivepersonaldata #dataprotectionofficer
[1] GDPR, Article 37.1
[2] GDPR, Article 37.1 và 37.4
[3] GDPR, Article 37.5,
[4] Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
[5] GDPR, Recital 97
[6] GDPR, Article 38.3
[7] GDPR, Article 38.6
[8] GDPR, Recital 97
[9] GDPR, Article 37.7
[10] GDPR, Article 38.1
[11] GDPR, Article 38.2
[12] GDPR, Article 38.3
[13] GDPR, Article 38.4
[14] GDPR, Article 39
[15] GDPR, Article 38.5
[16] GDPR, Article 83.4
HIPAA PRIVACY RULE: MECHANISMS FOR PERSONAL HEALTH INFORMATION PROTECTION The Privacy Rule is one of the core rules of HIPAA which governs the conditions, timing, and circumstances under which protected health information (PHI) may be used or disclosed. It establishes standards that grant patients rights over their health data, enhancing their control over its use […]
Learn more
OVERVIEW OF HIPAA RULES ON DATA PROTECTION Overview of HIPAA Act and Its Rules The Health Insurance Portability and Accountability Act (HIPAA or the Act) is a U.S. federal law designed to protect the privacy and security of individuals’ health information while facilitating healthcare operations and preventing waste, fraud, and abuse in the healthcare […]
Learn more
INTRODUCTION TO HIPAA: EVOLUTION OF DATA PROTECTION STANDARDS The rapid proliferation of information technology has driven the healthcare sector to transition from paper-based medical records to comprehensive electronic health record (EHR) systems. Although paper charts are subject to certain physical vulnerabilities, and despite the convenience and storage capacity afforded by digital platforms, electronic systems confront […]
Learn more