190 likes | 368 Views
Workshop on Data Protection European Parliament - Brussels - 8 June 2011. The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU.
E N D
Workshop on Data Protection European Parliament - Brussels - 8 June 2011 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU
The views expressed are solely those of the writer and may not be regarded as stating an official position of the Council
Contents • DPO Duties • Main tasks • Best practices • p.m. : External cooperation • Internal cooperation • Authority and controllers • Other services • Examples of possible contributions from IT service and from internal audit • Data subjects • Staff Committee • Conclusion
Overview To carry out his mission, i.e. to ensure in an independent manner the internal application of the Regulation • DPO has no real powers of enforcement BUT the power to influence and efficient means are also available to him • DPO is a key player in ensuring that EU institutions respect their Data Protection obligations BUT is very unlikely to succeed alone
DPO Duties : Main tasks (1) • providing information and raising awareness on Data Protection • ensuring that controllers and data subjects are informed of their rights and obligations • providing the institution/body with recommendations and advices • assisting data subjects e.g. by examining questions submitted to him, by handling requests for investigation, by bringing together data subjects and controllers
DPO Duties : Main tasks (2) • Monitoring of compliance notification procedure, access to information and premises, investigations… • keeping a register of processing operations notified to him • cooperating with the EDPS and the DPOs • notifying the EDPS of processing operations likely to present specific risks (Article 27)
DPO Duties : Best practices • promoting a “data protection culture” within the institution intranet website, booklets, training, recommendations, events • developing from the outset an appropriate IT system to manage the inventory of processing operations and to keep the register of notified processing operations • submitting an annual report and a work programme • keeping informed and involved in relevant internal discussion groups or committees (IT security, public procurement, organisational changes) • cooperating with internal and external stakeholders
Cooperating with the Appointing Authority and with controllers • advising the Appointing Authority on the data protection aspects of its intended measures, e.g. by making recommendations • ensuring that controllers are informed of their obligations • contributing to supervision of the processing operations, e.g. through the notification procedure
Cooperating with other services • requesting legal opinion from the Legal Service / Officer e.g. when data protection issues also involve the application of other legal instruments Staff Regulations, Financial Regulation, Security Regulation • calling on experts´services or advice IT service, Infosec, Security • requesting assistance from other specialised services I T development role in implementing Privacy by Design, Internal Audit contribution to verification of compliance
Possible contribution from other services example 1 - IT development IT Project leader could assist the IT system owner e.g. in • recalling, taking into account and implementing DP principles at the functional analysis stage purpose, data quality, access rights, security, blocking, erasure and other mechanisms for exercise of rights • recalling the need to open a notification file and to prepare it at the earliest stage • taking into account delays involved by prior checking where applicable • verifying existence of notification to DPO and information to data subjects prior to implementation of any new IT system processing personal data … with possible blocking procedure
Possible contribution from other services example 2 - internal audit (IA) In the course of its regular audits, IA could carry out checks or assess risks related to DP obligations e.g. • notification to DPO (Article 25) • information to be given to data subjects (Article 11 and Article 12) • processing of “sensitive“ data (Article 10) • transfer of data to 3rd country (Article 9) • instructions to staff for processing data (Article 21) • management of access rights (Article 22) • security measures (Article 22 and Article 23) • follow-up given to the EDPS opinion (Article 27)
Cooperating with data subjects • processing operations often concern staff • answering to requests for consultation or investigation • directing them to the relevant controller • assisting them in case of difficulties for the exercise of their rights • improving transparency of processing operations through the keeping of a Register
Cooperating with the Staff Committee- Differences in respective mandates • Staff Committee has a general competence to represent the interests of staff vis-à-vis their institution (Article 9.3 of the Staff Regulation) • DPO is an advisor and the internal guardian of the Data Protection Regulation for ALL parties (Article 24 of Regulation EC n° 45/2001)
Cooperating with the Staff Committee- Best practices DPO • answering to requests for consultation or investigation • informing on his activities (hearings, presentation of his annual report) Staff Committee • sharing information gained on data protection issues, e.g. by drawing attention on envisaged processing and possible difficulties • proposing or supporting organisational measures which strengthen the DPO position
Cooperating with the Staff Committee- To be kept in mind ! • DPO advises ALL internal parties, in confidence if so requested • DPO welcomes any information related to data protection but can only act on solid grounds and in accordance with the Data Protection Regulation • instrumentalisation of data protection is likely to be counterproductive to the very interest of staff
CONCLUSION The DPO is a key player in ensuring that the EU institutions respect their Data Protection obligations BUT He/she is very unlikely to succeed alone Cooperation with other stakeholders is fundamental