Data Protection Officer/ DPO.
The legislation on the protection of personal data provides certain cases in which it is mandatory to designate a DPO within the personal data controller, namely:
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
the core activities of the controller or the processor consist of processing on a large scale of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) or personal data relating to criminal convictions and offences.
Although in certain cases it is not necessary to designate a data protection officer, the National Authority for the Supervision of Personal Data Processing (ANSPDCP) recommends the appointment of such a person, as it is useful for the controller to comply with personal data protection obligations.
The data protection officer must be appointed on the basis of his/ her professional qualities and, in particular, on his/ her expertise in data protection law and practice, as well as on the basis of his/ her ability to perform the tasks required by law.
The DPO may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. In other words, DPO may be hired based on an individual employment agreement or outsourced.
Considering the requirement for the DPO to have expert legal knowledge, Andreea Rainer - Law Office offers specific services for performing the position of data protection officer, based on a legal assistance agreement.
A DPO has tasks such as:
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment (DPIA) and monitor its performance;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and to consult, where appropriate, with regard to any other matter.