Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter IV Controller and processor

Section 4 Data protection officer

Article 35 Designation of the data protection officer

October 2013

Article 35(1)

1. The controller and the processor shall designate a data protection officer in any case where:

Article 35(2)

2. A group of undertakings may appoint a main responsible data protection officer, provided it is ensured that a data protection officer is easily accessible from each establishment.

Article 35(3)

3. Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.

Article 35(4)

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.

Article 35(5)

5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

Article 35(6)

6. The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.

Article 35(7)

7. The controller or the processor shall designate a data protection officer for a period of at least four two years in case of an employee or two years in case of an external service contractor. The data protection officer may be reappointedfor further terms. During their term of office, the data protection officer may only be dismissed if the data protection officer no longer fulfils the conditions required for the performance of their duties.

Article 35(8)

8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.

Article 35(9)

9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.

Article 35(10)

10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subjectís data and to request exercising the rights under this Regulation.

Article 35(11)

11. (deleted)

[Source: October 2013]

Recital 75

(75) Where the processing is carried out in the public sector or where, in the private sector, processing relates to more than 5000 data subjects within 12 months, or where its core activities, regardless of the size of the enterprise, involve processing operations on sensitive data, or processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. When establishing whether data about a large number of data subjects are processed, archived data that is restricted in such a way that they are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection officers, whether or not an employee of the controller and whether or not performing that task full time, should be in a position to perform their duties and tasks independently and enjoy special protection against dismissal. Final responsibility should stay with the management of an organization. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.

Recital 75a

(75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organizational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties. The designation as a data protection officer does not necessarily require fulltime occupation of the respective employee.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 35 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring. This builds on Article 18(2) of Directive 95/46/EC which provided the possibility for Member States to introduce such requirement as a surrogate of a general notification requirement.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 35(1) [Amended: October 2013]

1. The controller and the processor shall designate a data protection officer in any case where:

Article 35(2) [Amended: October 2013]

2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer.

Article 35(3)

3. Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.

Article 35(4)

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.

Article 35(5)

5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

Article 35(6)

6. The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.

Article 35(7) [Amended: October 2013]

7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.

Article 35(8)

8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.

Article 35(9)

9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.

Article 35(10)

10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subjectís data and to request exercising the rights under this Regulation.

Article 35(11) [Deleted: October 2013]

11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 75 [Amended: October 2013]

(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]