The Data Protection Officer Service can be provided internally by means of an employment contract or externally in the framework of a contract of services provided.
The General Data Protection Regulation (GDPR) establishes a series of “proactive responsibility measures”. These measures include the figure of the Data Protection Officer (DPO), a figure that did not exist in the previous LOPD.
The Spanish and European legislation maintains a non-exhaustive list of the sectors that must have a Data Protection Delegate (DPD) service. The following are some of the sectors mentioned in the GDPR and LOPDGDD legislation:
- Public authorities, except courts acting in the exercise of their judicial function.
- Processing of data which, because of their nature, extent and/or purposes, require regular and systematic observation of data subjects on a large scale.
- Processing of special categories of personal data (art 9 GDPR) and of data relating to criminal convictions and offenses (art 10 GDPR).
- Professional associations and their general councils.
- Educational institutions.
- Electronic communication services.
- Providers of information society services.
- Management, supervision and solvency services of credit institutions.
- Financial credit establishments.
- Insurance and reinsurance companies.
- Investment services, regulated by the legislation of the Securities Market.
- Provision of electricity distribution and commercialization services and natural gas distributors and commercializers.
- Solvency and credit.
- Advertising and commercial prospecting activities and services, including commercial and market research entities, when they carry out treatments based on the preferences of the affected people, or carry out activities and services that imply the elaboration of their profiles.
- Healthcare centers legally obligated to keep patients’ medical notes.
- Electronic gaming operators.
- Private security companies.
- Entities that have as one of their objects and services the emission of commercial reports that may refer to individuals.
- Sports federations when processing data of minors.
- The entities that are responsible or in charge of the processing not included in the previous paragraph may voluntarily designate a DPD that will be subjected to the established system in Regulation (EU) 2016/679 and in the aforementioned Spanish organic law.
When and why is it recommendable to hire the service of a Data Protection Officer?
As explained in the previous section, not all organizations must hire the services of a Data Protection Officer. Appointing a DPO may be advisable in the following situations:
- Doubts about the categories of their data processing.
- Organizations with a high volume of data processing that consider it to be on a large scale.
- Companies that have received requirements or warnings from European supervisory authorities.
- Minimize economic, legal and reputational risks. Entities that, faced with a high risk of sanction, want to reduce the fine by having appointed a DPO on a voluntary way.
- Improve information control and therefore quality and competitiveness.
- To give confidence to the interested clients or users.
- Situations in which we have several offices or subsidiaries and we want to centralize and harmonize the compliance with data protection legislation.
Functions of the Data Protection Delegate service:
Informing and advising
companies and their employees about the different data protection requirements.
compliance with the legislation, as well as with the different protocols put in place.
on the need to carry out a personal data protection impact assessment (PIA), as well as to supervise its correct application.
with the different European supervisory authorities in relation with any request of information or in the exercise of their functions.
as a contact point for the supervisory authorities and the people making the complaint.
in the case of a complaint or requirement to mediate and solve any problems that may have occurred.
The legislation itself allows the outsourcing of this figure because it may be almost impossible for the company’s own employees to have the necessary training to accomplish all the DPD functions.
In order to accomplish this need, in Auratech we offer the service of Data Protection Delegate in an external way. We cover the functions of informing and advising the person in charge and the employees of their obligations in accordance with the regulation. We supervise compliance of the legislation in order to sensitize and train the personal involved in the processing operations.
Auratech will permanently monitor compliance of the requirements of the legislation, including those associated with the implementation of new treatments, such as the realization of the privacy impact analysis.
We provide a communication service in which we are direct interlocutors between the competent European supervisory authority and the complaining data subject. This communication activity is complemented with the communication to the controller/responsible of the data treatment and to the employees about their obligations.
The service will be offered following a semi-presential provision model, with Service Level Agreements (SLA) and procedures agreed between Auratech and each client, depending on their situation and size.
If you are considering implementing the figure of the DPO by externalizing your service, Auratech offers you this possibility through its expert lawyers in Data Protection. Avoid increasing your personnel costs by being able to comply with the legislation in a technical and independent way.