5 questions and answers on the topic Trustee or DPO

Have you got your commissioner yet? Do you have to have one? How to choose one? What will it do and how can you control it? There is still a lot of confusion around the "new" feature brought by GDPR.

I'm sure the date of 25 May has long been highlighted in your calendar. That's the day, among other things, that your data protection officer (DPO) will take his or her seat. But there are still many questions surrounding this position. The following lines will answer at least the most common ones.

1. Why now?


In the opening paragraph, we referred to the DPO function as "new". We did not use quotation marks by accident. In fact, the position has existed in some EU countries for several years, but it is only the GDPR that makes it mandatory for certain institutions across the EU.

2. Do I need to have a data protection officer?

.

Not necessarily. Public bodies and institutions that regularly and systematically handle personal data or process sensitive data are particularly required to have a DPO. However, the EU recommends having a DPO even if you do not fall into these categories.

3. How do I choose a data protection officer?

You have a choice of two options (internal or external DPO) and that you will subsequently need to ensure that there is no conflict of interest. For example, the DPO will not be allowed to determine the purposes and means of processing personal data in your organisation.

4. Does the fiduciary need to be certified?

Although there will be a plethora of certified DPOs on the job market in the foreseeable future, the GDPR does not stipulate the need for such a certificate. A DPO simply needs to meet certain professional qualities, particularly knowledge in the areas of law and data protection.

5. What responsibilities will the DPO have if he is my employee?

The General Data Protection Regulation provides that the DPO is not liable for the non-compliance of the processing of the entity that has entrusted him/her with the Regulation. These activities are the responsibility of the controller. The GDPR further provides that DPOs "should not be dismissed or sanctioned by the controller or processor in connection with the performance of their tasks."

The role of the DPO will not be straightforward. The DPO will have many difficult tasks. We keep track of these tasks and responsibilities in our team. If you have any questions in relation to the duties DPOs will be required to perform, please do not hesitate to contact us.