November 8, 2023
Designating a data protection officer (DPO) is one of the statutory obligations on the controller and the processor in some particular circumstances according to the EU’s General Data Protection Regulation (GDPR). Here is an overview of GDPR regulations on DPO that enterprises and organisations can refer to, in the context that Decree No.13/2023/ND-CP does not specify this obligation.
Which subjects must designate a DPO?
Both the controller and the processor shall be under the obligation to designate DPO if they are in statutory cases that require a DPO assigned or where required by Union or Member State[1].
In which cases must a DPO be designated?
The controller and the processor shall designate a DPO in the following case[2]:
What are the required qualifications for a DPO?
GDPR does not prescribe a quantitative standard for enterprises and organizations to designate DPO, instead, the subjects shall appoint a DPO according to statutory factors, including professional qualities; expert knowledge of data protection law and practices; ability to fulfil the DPO’s tasks stipulated in Article 39 of GDPR[3],[4]. The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor[5].
How many DPOs are required for each business?
Each enterprise and organization in cases where required shall need at least 01 DPO. Besides, a group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment.
Which resources can DPO be designated from?
A DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
In case the DPO is an employee of the controller or the processor, the following specific principles are required to apply:
Is it mandatory to communicate the information of DPO with the authorities?
Yes. Enterprises and organizations must communicate the contact details of the DPO to the supervisory authority. Additionally, the controller and the processor must publish such information so that data subjects can contact in need[9].
What are the responsibilities of the controller and the processor towards DPO?
To ensure the effectiveness of the DPO’s activities, enterprises and organizations need to adhere to the following responsibilities:
What are the statutory tasks of the DPO?
The data protection officer shall have at least the following tasks[14]:
Throughout his or her performance, the DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State laws[15].
Are there any risks if enterprises fail to comply with the regulations on the DPO?
The intentional or negligent violation of DPO regulations from enterprises and organizations which are under the scope of GDPR shall be subject to administrative fines up to 10.000.000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [16]./.
PrivacyCompliance provides solutions related to ensuring compliance with personal data, assessing the impacts of personal data processing, and DPO service. |
PrivacyCompliance
#GDPR #personaldata #DPO #sensitivepersonaldata #dataprotectionofficer
[1] GDPR, Article 37.1
[2] GDPR, Article 37.1 và 37.4
[3] GDPR, Article 37.5,
[4] Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
[5] GDPR, Recital 97
[6] GDPR, Article 38.3
[7] GDPR, Article 38.6
[8] GDPR, Recital 97
[9] GDPR, Article 37.7
[10] GDPR, Article 38.1
[11] GDPR, Article 38.2
[12] GDPR, Article 38.3
[13] GDPR, Article 38.4
[14] GDPR, Article 39
[15] GDPR, Article 38.5
[16] GDPR, Article 83.4
One of the fundamental principles for Personal Data Controllers is the unwavering commitment to transparency vis-à-vis data subjects. In their pursuit to address this requirement, Controllers have opted to issue lengthy Privacy Notices, aiming for comprehensive disclosure to relevant data subjects. However, the question arises: Does this approach represent the most optimal method to guarantee […]
Learn more
KEY TAKEAWAYS: – GDPR is the EU’s current personal data protection regulation and the global standard in the field of data protection; – Predecessors of GDPR include the OECD’s 1980 Privacy Guidelines and the 1995 Directive 95/46/EC ; – GDPR stipulates many concepts and regulations regarding data protection such as the definitions, rights and responsibilities […]
Learn more
What is the PIPL? The Personal Information Protection Law of the People’s Republic of China is a particular law enacted for the purposes of protecting the rights and interests on personal information, regulating personal information processing activities, and promoting reasonable use of personal information (Art.1). When did the PIPL take effect? The PIPL entered into force […]
Learn more