Do I need a Data Protection Officer(DPO) to comply with the GDPR?
You will need a Data Protection Officer only if you are a;
- Public authority or body
- Your core activities involve systematic monitoring of people on a large scale.
- The core activities involve large amounts of data from the special categories such as racial, religious, sexual, etc. data a more complete list can be found in Art. 9 of the GDPR.(This also applies if you are located outside the EU and are processing personal data of people within the EU and therefore the GDPR is also applicable to you.)
Some of these requirements are subjective, and we can advise you whether you do need a DPO or not. If needed please contact us here, and we can advise you whether a DPO Is necessary or just a Representative is sufficient.
What are the requirements for this representative and what is its purpose?
The purpose of the DPO is to monitor and assist your organisation with internal compliance to this legislation. In the GDPR there are some minimum requirements for the tasks the DPO has these are;
- Inform and advise the organization regarding any EU data protection requirements and legislations which are applicable to them.
- Monitor compliance with the above mentioned requirements and legislation.
- Advise and monitor the effectiveness of Data Protection Impact Assessments(DPIAs).
- Act as point of contact with the applicable EU Data Protection Authorities.
The requirements are rather broad and simple the DPO should be chosen on the basis of his or her;
- Professional Qualities
- Expert knowledge of Data Protection Laws
- The ability to fulfill the required tasks as mentioned above.
Furthermore it is also advised but not necessarily required that the DPO is located in the EU by the European Data Protection Board.
Finally there are some other aspects that are important to know. As a group of organisations you may share a EU data protection officer. The DPO must maintain a certain level confidentiality by law. Whilst also reporting to the highest management within the organization. However he/she is not allowed to receive instructions while exercising the tasks mentioned above. If you are looking for more info or a Data Protection Officer located in the EU please contact us here.
In case you don’t need a DPO and you are processing information of EU citizens from outside the EU you probably still need a Representative. For more information please visit our representative page here.