The controller and the processor shall designate, where applicable, a Data Protection Officer (DPO) on the basis of professional qualities and, in particular, knowledge and experience on data protection law and practices, and ability to fulfil the assigned tasks .
The controller (or the processor) shall ensure that the Data Protection Officer is properly and timely involved in all issues related to the protection of personal data and able to perform the duties and tasks independently.
The DPO shall directly report to the executive management member of the controller who is responsible for compliance with the EU Data Protection Regulation. The Data Protection Officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
The controller (or the processor) shall communicate the DPO’s name and contact details to the supervisory authority and to the public: data subjects shall have the right to contact the Data Protection Officer on all issues related to the processing of their data and to request exercising the rights under the EU Regulation.
The controller (or the processor) shall support the DPO in performing the tasks and shall provide all means, including staff, premises, equipment and any other resource needed to carry out the duties and tasks assigned, and to maintain his or her professional knowledge.
The DPO, in exercising his role, must ensure the confidentiality and secrecy of the data subjects’ identities and information, unless they are released from that obligation by the data subject.
The DPO’s mission should include, at least, the following tasks:
- to create awareness, by informing and advising the controller or the processor of their obligations pursuant the EU Regulation, and related technical and organisational measures and procedures needed
- to monitor the implementation and application of the policies in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits
- to monitor the implementation of the requirements related to data protection by design, data protection by default and data security
- to monitor the documentation, notification and communication of personal data breaches
- to monitor the response to requests from the supervisory authority, and co-operating with the supervisory authority at the latter’s request or on the Data Protection Officer’s own initiative
- to act as the contact point for the supervisory authority on issues related to data processing, and consult with the supervisory authority, if appropriate, on his/her own initiative.