Rina Steenkamp - Privacy and technology
Chapter IV Controller and processor
Section 4 Data protection officer
Article 37 Tasks of the data protection officer
October 2013
Article 37(1)
1. The controller or the processor shall entrust the data protection officer at least with the following tasks:
- (a) to raise awareness, to inform and advise the controller or the processor of their obligations pursuant to this Regulation, in particular with regard to technical and organisational measures and procedures, and to document this activity and the responses received;
- (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
- (c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;
- (d) to ensure that the documentation referred to in Article 28 is maintained;
- (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
- (f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior consultation, if required pursuant Articles 32a, 33 and 34;
- (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer’s own initiative;
- (h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.;
- (i) to verify the compliance with this Regulation under the prior consultation mechanism laid out in Article 34;
- (j) to inform the employee representatives on data processing of the employees.
Article 37(2)
2. (deleted)
[Source: October 2013]
January 2012
Article 37(1) [Amended: October 2013]
1. The controller or the processor shall entrust the data protection officer at least with the following tasks:
- (a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
- (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
- (c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;
- (d) to ensure that the documentation referred to in Article 28 is maintained;
- (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
- (f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
- (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer’s own initiative;
- (h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.
Article 37(2) [Deleted: October 2013]
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
[Source: January 2012 | Context: Proposal from the European Commission]
Menu |
My annotated General Data Protection Regulation |
Chapter IV |
Section 4 |
Previous |
Next |
Additional information | Meta |
Contact |
Nederlands
