IP - 07121-1/2021/577

From GDPRhub
IP - 07121-1/2021/577
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 37 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published: 24.03.2021
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2021/577
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: GDPR plus

The Slovenian DPA stated that the director (CEO) or member of the management of the company shall not be a DPO.

English Summary

Facts

The director (CEO) or member of the management of the company may not be a DPO.

Dispute

Holding

The DPO shall not perform tasks determining the purposes or means of the processing of personal data. In particular, incompatible situations with the DPO shall be noted, such as senior management positions (e.g. Managing Director, Chief Operating Officer, Finance Director, Head of Marketing, Head of Human Resources or Head of Information Technology) and other subordinate roles in the organizational structure, if these positions or roles lead to the determination of the purposes and means of the processing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

The Information Commissioner (hereinafter: IP) received your question by e-mail. You state that your company is engaged in the placement of labor abroad. Ask what you need to have urgently regulated in the field of personal data protection and whether a person within the company (possibly a director) can be appointed for personal data protection?

 

 

***

 

On the basis of the information you have provided to us, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, official consolidated text, hereinafter ZVOP-1) and 2 Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question. We emphasize that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure.

 

We initially emphasize that the legality of the processing of personal data or. compliance with the rules of the General Regulation and ZVOP-1 is the responsibility of the operator, and IP can only give you general explanations and references in the context of a non-binding opinion.

 

We suggest that you examine the key areas of the General Regulation, where you can find explanations, which can be found on the IP website: https://www.ip-rs.si/?id=99, with a description of the most important steps for operators on the IP. IP website, intended for small and medium-sized companies, www.upravljavec.si and with already issued non-binding opinions, which are available with the help of the opinion search engine at https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik -by opinions. The operator must thus e.g. to provide an appropriate legal basis for the processing of personal data (Article 6 of the General Regulation), to protect personal data (Articles 24, 25 and 32 of the General Regulation), to keep records of processing activities (Article 30 of the General Regulation), to inform individuals about the processing of personal data data (Articles 13 and 14 of the General Regulation), to regulate the possible issue of contractual processing of personal data (Articles 28 of the General Regulation), etc.

 

However, in view of your question regarding the DPO appointed by the controller in accordance with Article 37 of the General Regulation, the IP emphasizes that the controller must appoint a data protection officer whenever:

 

(a) the processing is carried out by a public authority or body,

 

(b) the core activities of the controller or processor include processing operations which, due to their nature, scope and / or purposes, require the data subjects to be monitored regularly and systematically on a regular basis; or

 

(c) the core activities of the controller or processor involve extensive processing of specific types of data ("sensitive personal data").

 

The data protection officer should be appointed by the controller primarily on the basis of professional qualities and, in particular, expertise in data protection legislation and practice. In accordance with Article 39 of the General Regulation, its tasks are primarily of an advisory and supervisory nature, namely informing the controller and employees on personal data protection, monitoring compliance with the General Regulation, advising on impact assessment and cooperating with the supervisory authority. As emphasized in the Article 29 Data Protection Working Party Guidelines on Data Protection Officers (last revised and adopted on 5 April 2017), the Data Protection Officer must be independent in the performance of his or her duties, which means that he or she must perform the tasks , laid down by the General Regulation and must be in a position where there is no conflict of interest. In particular, the latter means that the authorized person may not perform tasks that define the purposes or means of processing personal data. In particular, incompatible situations with the data protection officer should be noted, such as e.g. senior management positions (eg executive director, chief operating officer, chief financial officer, head of marketing, head of human resources or head of information technology) as well as other lower-level roles in the organizational structure, if such positions or roles lead to the determination of purposes and means of processing. The authorized person may be a member of the operator's staff or perform tasks on the basis of a service contract. Whether you need an authorized person on the basis of the above and who you will appoint as an authorized person is the responsibility of the operator, and we advise you to allow him to perform his tasks in accordance with the General Regulation and to ensure that any other duties and tasks authorized person performs, there is no conflict of interest.