Roles according to GDPR
Data Protection Officer (DPO)
Some companies are required to have a Data Protection Officer (DPO) according to the EU General Data Protection Regulation (GDPR). Companies that do not need a data protection officer may choose to do so as a privacy-enhancing measure.
Some companies need a Data Protection Officer (DPO)
If the company appoints a Data Protection Officer voluntarily without being required to do so under the GDPR, the same rules apply as if the company had to do so. Companies appointing a data protection officer shall register the Data Protection Officer with the national supervisory authority. The Data Protection Officer’s main task is to check that the company complies with the GDPR within its business. Below you can read more about Data Protection Officers and their tasks.
Knowledge that Data Protection Officers need to have
A Data Protection Officer should have certain knowledge to carry out its duties, including:
- Knowledge of data protection and applicable data protection legislation, including GDPR.
- Knowledge of the company’s core business and how it processes personal data. In addition, knowledge of the organizational and technical measures that the company has taken to, among other things, protect personal data and meet the rights of the data subjects.
Important role
Please note that the personal characteristics of the Data Protection Officer also play an important role. For example, it is important that the Data Protection Officer has the ability to disseminate and convey information within a company. In addition, the Data Protection Officer needs to be able to create a data protection culture within the company.
If the company carries out processing of personal data that is complicated or handles large amounts of sensitive personal data, the Data Protection Officer needs to have more in-depth knowledge in data protection.
Duties of the Data Protection Officer
The Data Protection Officer’s tasks consist of supporting the company in its work with data protection and the processing of personal data. Among other things, through the following tasks:
Information and advice
The Data Protection Officer shall provide advice and information regarding the company's obligations under applicable data protection legislation, including the GDPR. This shall be provided to both management and employees who process personal data, as well as others who need the information.
Impact assessments
If the company needs to carry out a data protection impact assessment, the Data Protection Officer shall be involved in the process. The same applies if the company is considering carrying out another type of personal data related assessment.
Contact point
The Data Protection Officer is a contact point for management, workers, data subjects and the national data protection authority. Employees and data subjects have the right to contact the Data Protection Officer in relation to data protection-related matters, and therefore the contact details shall be made available. For example, the company should publish the contact details in the company's privacy notice on its official website.
Other tasks of the Data Protection Officer
Conducting internal audits, investigating personal data breaches and analysing specific data protection issues.
Resources needed for the Data Protection Officer to carry out its duties
The company shall ensure that the Data Protection Officer is provided with sufficient resources to carry out its duties. This may include, for example, informing the Data Protection Officer of planned new personal data processing operations in good time, in order for the Data Protection Officer to be able to carry out its work. In addition, Data Protection Officers have the right to further training in the field of data protection.
Who can be a Data Protection Officer for a company
A Data Protection Officer needs some knowledge in, for example, law, but does not necessarily have to be a lawyer or solicitor. However, it is not uncommon for lawyers or solicitors to be Data Protection Officers. The Data Protection Officer needs knowledge of applicable laws and regulations in the field of data protection, such as the GDPR.
It is also possible that the Data Protection Officer is engaged in the form of an external consultant from another company. It is therefore not necessary that the Data Protection Officer is employed by the company within which the assignment is to be performed. In addition, it is possible for one and the same person to be the Data Protection Officer for several different companies at the same time. The task of a Data Protection Officer can be performed full-time or part-time, depending on the company’s needs.
Summary of who may be the Data Protection Officer:
- Employees or externally contracted consultants.
- Natural persons or legal persons; Please note that if a legal person is appointed as Data Protection Officer, an individual from that company must be appointed as a contact person.
When a person may not be a Data Protection Officer
It is important to ensure that the Data Protection Officer is an independent party. Data Protection Officers have an independent position in companies, which means that it is not allowed for others within the organization to influence the person in their work. This means that there may be situations where there is a conflict of interest between the Data Protection Officer and the company in question.
An example of when there may be a conflict of interest is if the Data Protection Officer is a person from the management of the company. This person must not be the company’s data protection officer. Nor can a CEO of a company be regarded as having the independence required to be a data protection officer.
Report contact details to the data protection authority
Companies that have appointed a Data Protection Officer shall notify it to the national data protection authority. They shall also provide the contact details of the Data Protection Officer (or, if applicable, its contact person). Where a data protection authority supervises the company, the Data Protection Officer shall cooperate with the authority and act as the contact point.
Which companies must have Data Protection Officers in accordance with the requirements of the GDPR
- If the company processes sensitive personal data, such as health data, on a large scale. For example, hospitals.
- If the company monitors people systematically and regularly on a large scale. For example, a telecommunication company.
Please note that state authorities must have data protection officers.
More information about roles in GDPR
Companies that process personal data in the role of data controller according to GDPR
The company that determines the means and purposes of the processing of personal data, i.e. how and why the processing should take place, is the controller under the GDPR. Thus, it is not a specific individual within the company who holds that role, instead it is the legal entity that has it. However, in some cases, an individual can be considered a data controller. For example, a sole trader, or a private individual installing a camera at their entrance door pointing out towards a public road. In addition, it is possible for several companies to be joint controllers.