DPO as Service

It doesn’t matter what role your organisation plays in a chain of data processing. Both controllers and processors have, given they meet the threshold, hire or contract a DPO. 

Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:

• where the processing is carried out by a public authority or body;
• where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
• where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
  

   

   

  If you are not sure what some of these definitions mean with respect to your processing practices, you may ask our privacy team. Schedule a call to learn more of our DPO service and whether we can be a perfect match for your organisation. 

  This list can be complemented with the requirements of the EU member state law you have to comply with. So, you should check your national law to know whether you have to designate a DPO (especially if you are working with health data, banks, national IDs, religious or legal information, or otherwise have access to the data protected by confidentiality or secrecy). 

  Also, be aware of the differences in addressing the thresholds. For instance, one state can calculate “large scale processing” in comparison of the user percentage in the population of a specific area. On the other hand, another state may link the “large scale processing” with a particular number of unique users in a company’s database. 

  However, if you have your doubts, it may be feasible to hire one just in case.

The GDPR doesn’t set the strict rule to employ the DPO. On the contrary, it clearly mentions the “external” DPOs, describing the contents of the service contract if you decide to outsource this task to a skilled independent professional (or even a privacy team). 

Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. Recital 97 provides that the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. 

Other skills include: 

• Level of expertise (in relevant fields).
  We worked with gamedev, cloud solutions, e-commerce, online education, AdTech and digitalised offline businesses. Please look at our Clutch page to learn more. 
• Professional qualities.
  We work closely with the privacy laws of the U.S., the European Union and Ukraine. We are certified and trained lawyers, and we possess a relevant expertise in dealing with the DSARs, assisting with the supplier assessment checks and drafting data processing agreements.
• Ability to fulfil its tasks.
  We have a variety of services to offer. From relevant consulting and drafting necessary documents to navigating complicated court proceedings and out-of-court confidentiality violation disputes. 

The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO. 

However, the data controller benefits from the DPO’s expertise and insights as a counsel. The DPO therefore is accountable to the company’s top management, including the highest management circles. CEO, CFO, CISO, CLO and other chief officers shall keep in mind the advice of the DPO and make sure that the DPO possesses all necessary resources to provide them with the most relevant information and assessment results. 

DPO is closely linked to the public image of the company, as the DPO is often a first contact of a dissatisfied user or worried tech journalist. Choose your DPO wisely. 

Sure! 

Get in contact with one of our resident privacy experts and schedule a call to see whether we’re on the same page with your tech. 

You may request an NDA to be signed prior to the call. Otherwise, you can stop by our Kyiv office and enjoy the scenery of the city centre during a cup of fresh coffee. Make sure you’ve made the appointment so we will be ready to answer your questions.