Plesner Data Protection Law Certificate
When the EU Data Protection Regulation enters into force, it will be a requirement that public authorities appoint a data protection officer (DPO). The requirement also applies to undertakings the core activity of which consists of either processing operations that require extensive monitoring of the data subjects or extensive processing of sensitive data. Further to the new Regulation requirements Plesner offers the "Plesner Data Protection Law Certificate". The Certificate will also be relevant to persons who are to work with the implementation of the Regulation but who are not to be a DPO.
At the same time the stricter Regulation rules also mean that it may be expedient for organisations not directly covered by the Regulation requirement of a DPO to establish a similar function.
Even though the material rules in several central areas will continue with the Regulation, the requirements for the data controllers' compliance in practice - and not least their ability to document such compliance - will for most undertakings result in a need for an increased effort and not least increased formalisation of the personal data work.
As a consequence of the stricter Regulation requirements Plesner will offer the "Plesner Data Protection Law Certificate".
Read more about the "Plesner Data Protection Law Certificate" (in Danish)
These organisations must have a DPOIn the first Data Protection Regulation drafts the requirement that a data protection officer (DPO) be appointed was based on criteria of the size of the data controlling organisation (more than 250 employees) or the number of data subjects whose data the organisation was processing. In connection with the concluding negotiations such principles were abandoned and now the requirement will apply to specific types of undertaking.
Firstly, the requirement will apply to public authorities (courts excepted). A group of authorities may appoint a joint DPO but the scope of tasks will limit the number of authorities in such a solution.
Secondly, the requirement will apply to undertakings the core activities of which consist of data processing operations which by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of the data subjects.
Thirdly, the requirement will apply to undertakings processing data that the terminology of the Regulation refers to as "special categories of personal data" as defined in Article 9 of the Regulation - defined by the currently applicable Danish Data Protection Act as "Section 7 data" and that cover data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life.
Such criteria seem to fit the general focus of the Regulation on risk from the viewpoint of the data subject as the specified organisations will partly process substantial data quantities and partly process a data type the processing of which will have significant consequences for the data subjects if such processing is not in compliance with the Regulation.
The tasks of the DPO
Another innovation compared to the first drafts is the provision that the data subjects must be entitled to contact the DPO in relation to all questions about the processing of their data and exercise of their rights.
When this is added to the fact that the tasks of a DPO established by the Regulation also include monitoring and control of the data controller's processing of personal data and a role as contact person and link between the data controller and the supervisory authorities, ensuring the independence of the DPO is subject to significant requirements if the position is to have an impact.
The Regulation also implies that it is a position that will enjoy legal safeguards to the effect that a DPO enjoys certain protection against dismissal and sanctioning; but it is also a requirement that the data controller must ensure the DPO's independence and possibility of carrying out his or her duties; for example that the data controller provides the resources necessary for the DPO. It is a significant requirement that the DPO has access to report directly to the highest management level of the data controller. The DPO is also bound by confidentiality established by the Regulation.
In many ways the DPO's position in the undertaking could be compared to a compliance function - but the significant difference being that the DPO is subject to a special requirement in respect of the DPO's professional qualifications in relation to personal data protection ("expert knowledge of data protection law and practices"). It follows directly from the Regulation that a DPO must be appointed on the basis of the DPO's professional qualities, including expert knowledge of data protection law and practices and the ability to fulfil the tasks to be carried out by the DPO under the Regulation.
In addition to ensuring that a DPO has the relevant qualifications at the time at which the DPO is appointed, the data controller must ensure that the required high competence level is maintained; ie that the DPO updates his or her expert knowledge through the required supplementary training.
Please note that
- the DPO requirement applies to public authorities and undertakings that carry out extensive processing of sensitive data or that process data where the actual processing implies extensive and regular monitoring of the data subjects
- a DPO is the supervisory authority's as well as the data subjects' contact person and representative in relation to the data controller and the DPO must consequently be able to act independently in relation to the data controller
- the data controller must ensure that the DPO appointed has the required qualifications - at the time of the appointment as well as at any time during the term of office. The DPO must have expert knowledge of data protection law and practices.