Data Protection Officer (or DPO) is a position or contractor that helps the company introduce and maintain compliance with the data protection laws across the European Union and European Economic Area.
A Data Protection Officer cannot be confused with a Chief Protection Officer, Chief Privacy Officer or Chief Information Security Officer (and cannot be replaced by the chief officer the company might have in place before May 2018).
(DPO is first introduced)
In Germany, a law established a requirement for a DPO in certain organizations
WP29 issues its Guidelines on Data Protection Officers (‘DPOs’)
The GDPR is to be applied;
EDPB endorses the Guidelines on DPOs
Spanish DPA fined Glovoapp23 for failure to designate a DPO and notify data subjects of their contact details
Legal IT Group as your DPO
Team. Learning. Awareness
The high achievements of the employees confirm the compliance with the GDPR of the team as a whole.
DPIA for new processes/products
DPO assists your team in examining privacy policies and acquiringknowledge on the core issues.
DPO monitors the necessity to conduct DPIAs and consults theemployees during the assessment period
Scheduled review of privacy documents
DPO sets out the schedule of reviewing the documents and updates them in line with the changes of business processesand applicable laws
Interaction with the users
(answers on requests)
DPO is the primary point of contact with the data subjectand coordinator of the request consideration process
Interaction with clients
(answers on privacy-related issues)
DPO supports the sales department during the negotiations with aclient. DPO assists the marketing office and informs the company’sclients on the company’s privacy protection policies
Cooperation with the supervisory authority
DPO communicates with the supervisory authority and drafts theanswers to its requests. DPO monitors necessity to consult theauthority or report data breaches.
It doesn’t matter what role your organisation plays in a chain of data processing. Both controllers and processors have, given they meet the threshold, hire or contract a DPO.
Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
If you are not sure what some of these definitions mean with respect to your processing practices, you may ask our privacy team. Schedule a call to learn more of our DPO service and whether we can be a perfect match for your organisation.
This list can be complemented with the requirements of the EU member state law you have to comply with. So, you should check your national law to know whether you have to designate a DPO (especially if you are working with health data, banks, national IDs, religious or legal information, or otherwise have access to the data protected by confidentiality or secrecy).
Also, be aware of the differences in addressing the thresholds. For instance, one state can calculate “large scale processing” in comparison of the user percentage in the population of a specific area. On the other hand, another state may link the “large scale processing” with a particular number of unique users in a company’s database.
However, if you have your doubts, it may be feasible to hire one just in case.
The GDPR doesn’t set the strict rule to employ the DPO. On the contrary, it clearly mentions the “external” DPOs, describing the contents of the service contract if you decide to outsource this task to a skilled independent professional (or even a privacy team).
Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. Recital 97 provides that the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.
Other skills include:
- Level of expertise (in relevant fields).
We worked with gamedev, cloud solutions, e-commerce, online education, AdTech and digitalised offline businesses. Please look at our Clutch page to learn more.
- Professional qualities.
We work closely with the privacy laws of the U.S., the European Union and Ukraine. We are certified and trained lawyers, and we possess a relevant expertise in dealing with the DSARs, assisting with the supplier assessment checks and drafting data processing agreements.
- Ability to fulfil its tasks.
We have a variety of services to offer. From relevant consulting and drafting necessary documents to navigating complicated court proceedings and out-of-court confidentiality violation disputes.
The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO.
However, the data controller benefits from the DPO’s expertise and insights as a counsel. The DPO therefore is accountable to the company’s top management, including the highest management circles. CEO, CFO, CISO, CLO and other chief officers shall keep in mind the advice of the DPO and make sure that the DPO possesses all necessary resources to provide them with the most relevant information and assessment results.
DPO is closely linked to the public image of the company, as the DPO is often a first contact of a dissatisfied user or worried tech journalist. Choose your DPO wisely.
Get in contact with one of our resident privacy experts and schedule a call to see whether we’re on the same page with your tech.
You may request an NDA to be signed prior to the call. Otherwise, you can stop by our Kyiv office and enjoy the scenery of the city centre during a cup of fresh coffee. Make sure you’ve made the appointment so we will be ready to answer your questions.
Dozens of accomplished and comprehensive projectsof GDPR compliance in the sphere of IT business
Experience in CCPA/ PIPEDA cases and other regulationson the protection of privacy
Experience in the completion of data privacy projects: adtech,medtech, fintech and projects with the AI and BD technologies