Skip to content
Workland
Home Locations Solutions Member Stories Bookings Events Blog About

5 FAQs about the Data Protection Officer

Fondia Lietuva

November 4th, 2022

Share

After the GDPR came into force many companies designated or are planning to designate the Data Protection Officer (DPO). Please see the most popular FAQs asked by the businesses about the DPO together with answers below.

1.  Who is the DPO?

The DPO is an expert responsible for monitoring the processing of personal data and compliance with data protection laws throughout an organization. In other words, it is the person to whom you can delegate various data protection matters (e.g., respond to the requests of data subjects and supervisory authorities, evaluate the necessity to perform a data protection impact assessment after starting using new software and etc.) while concentrating on your business growth.  

2.  What are the main tasks of the DPO?

The main tasks of the DPO are listed below:

  • to inform companies and employees processing personal data about their obligations under the GDPR and other legal acts and advise them on these issues, as well as organize data protection training;

  • to ensure the compliance of company documents and processes with GDPR;

  • to provide advice on the data protection impact assessment and monitor its performance;

  • to cooperate with the supervisory authority and act as the contact person for the supervisory authority on issues relating to data processing.

3.      When it is mandatory to designate the DPO?

The DPO must be designated if at least one of the following conditions is present:

  • the processing of personal data is carried out by a public authority or body (except for courts and other judicial institutions), i.e., any government or other public administration, including public advisory bodies, at the national, regional or local level, performing public administrative functions under national law, including specific duties, activities or services. It should be noted that a public task may be carried out by other natural or legal persons in sectors such as public transport, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.

  • the core activities of the business consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (e.g., companies providing targeted advertising, website analytics and direct marketing services, insurance companies, loan providers, private security companies carrying out the surveillance and etc.)

  • the core activities of the business consist of the processing special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) or personal data relating to criminal convictions and offences.

Unless it is obvious that an organisation is not required to designate a DPO, it is highly recommended to carry out the internal analysis to determine whether or not a DPO has to be appointed, as this analysis is part of the documentation under the accountability principle under the GDPR.

It should be noted that a company could designate a DPO on a voluntary basis, which would undoubtedly help to ensure compliance with the GDPR and improve the company’s reputation among its customers and partners.

4.      What are the professional qualities that the DPO should have?

The DPO shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.

Relevant skills and expertise include:

  • expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;

  • understanding of the processing operations carried out;

  • understanding of information technologies and data security;

  • knowledge of the business sector and the organization;

  • ability to promote a data protection culture within the organization.

5.      Is it better to designate the internal or the external DPO?

In practice, there are two main options for DPO designation – internal and external DPO.

When it comes to the internal DPO, the company’s employee is usually designated as the DPO. In this scenario it is very important to bear in mind that DPO must act in an independent manner, meaning that he or she is not bound by the instructions of the employer regarding the exercise of the DPO’s tasks as well as could not be dismissed or get a penalty for their performance. Nevertheless, the organization’s internal DPO should be able to report data protection issues directly to the highest management level of the company, which might be difficult to implement in practice, as employees usually can report only to their direct manager.

What is more, the tasks and duties of a DPO must not result in a conflict of interest. As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of the marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of data processing.

As a result, it is recommended to designate the function of the DPO to an external service provider, when one person or a whole team is providing services for the particular company and effectively carrying out the DPO tasks. Fondia Lithuania data protection experts provide such a service. You can read more about Data Protection Officer as a service (DPOaaS) here.  

 

Other Blog Posts

How Coworking Changed Work Forever: Celebrating International Coworking Day

International Coworking Day, celebrated on August 9th, is an annual event that recognizes and promotes the global coworking movement. This day not only highlights the benefits and evolution of coworking spaces but also brings attention to the communities and innovation these spaces foster. Here is an engaging and informative look at the concept, history, and impact of coworking.

Workland

August 8th, 2024

Top 20 AI Productivity Tools for Remote Workers

Remote work has evolved, and so have the tools that power it. While ChatGPT and other well-known AI assistants grab headlines, a new class of AI-driven productivity tools is silently transforming how remote professionals work. This article bypasses the usual suspects to showcase the AI tools that are genuinely changing the game for remote workers. We're not here to rehash what you already know. Instead, we're introducing you to powerful, lesser-known AI applications that top-performing remote professionals are using to dramatically increase their efficiency and output. Are you ready to discover the AI tools that are setting new benchmarks in remote work productivity? Let's explore these innovative solutions that are redefining what's possible in the digital workspace.

Workland

November 15th, 2024

Exploring the Best Laptop-Friendly Cafes in Tallinn

Here's a guide to some of the best laptop-friendly cafes in Tallinn, where you can enjoy great coffee, free Wi-Fi, and a productive atmosphere. Whether you're a freelancer, a student, or simply someone looking for a change of scenery, Tallinn has a spot for you.

Workland

July 12th, 2024