140 likes | 337 Views
gdd. Gesellschaft für Datenschutz und Datensicherung e.V. German Association for Data Protection and Data Security Christoph Klug ATTORNEY AT LAW Phone: +49-228/694313 Fax: +49-228/695638 Internet: http://www.gdd.de E-Mail: klug@gdd.de. Non-profit organisation
E N D
gdd Gesellschaft für Datenschutzund Datensicherung e.V. German Association for Data Protection and Data Security Christoph Klug ATTORNEY AT LAW Phone: +49-228/694313 Fax: +49-228/695638 Internet: http://www.gdd.de E-Mail: klug@gdd.de
Non-profit organisation Founded in 1976 (1. German Data Protection Act) Mission for over 25 years: Help members to comply with privacy provisions Support data protection officers Educationand training (seminars, conferences, publications) Guidance (legal, technical, organisational problems) Lobbying: reasonable, effective and practicable data protection gdd
Membership-Development1990 - 2002 Stand: 10.10.2002
Membership structure Stand: 10.10.2002
Definition: A natural person, appointed by the controller of personal data, who shall independently assure that personal data is processed in a correct and lawful manner. Business title: Data protection officer (Germany, Netherlands) Personal data representative (Sweden) Corporate privacy officer (US) Data Protection Official
Self-regulation (corporate self-monitoring) More effective data protection Corporate compliance institution in addition to Supervisory authority Avoidance of unnecessary bureaucracy Unburden supervisory authorities Simplify notification Prior checking by DPO instead of DP-authority The DPO-Concept
German model implemented in EU-Directive (95/46/EG) Art. 18 (2): Simplification of or exemption from notification where the controller, in compliance with the national law which governs him, appoints a data protection official, responsible in particular for: ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive keeping a register of processing operations carryed out by the controller ... Origins of the DPO
Ensure a lawful handling of personal data by the controller (company) including Prior checking when specific risks - Article 20 (2) Supervision ofprocessors acting on behalf of the controller Compliance with (internal) corporate privacy provisions such as codes of conduct or contractual obligations Familiarise staff with data protection provisions Transparency Keep public register (any person) Data subject rights (information, access, correction etc.) Main Tasks
Article 18 (2) EU-Directive Position to exercise his functions in complete independence Independent inspection of processing operations Necessary powers, means, premises, facilities, equipment, resources Makes own professional judgement In case of grievances: report to head of the controller Controller remains responsible for legal processing Independent Status
No requirements in EU-Directive Only vague requirements by German law: “necessary know-how and reliability“ GDD-Study: Adequate knowledge of data protectionlaw Adequate knowledge of ITfunctions Basic knowledge of business-related economics Specific knowledge of the company`s internal structuresand processing operations Qualifications
EU-Directive: Appointment in compliance with the national law Germany: Depending on size companies have to formally appoint DPO in writing. Mandatory appointment for public bodies. Netherlands:DPO (optional) has to be registered with the DP-Commission (list) Sweden: DPO (optional). Practice: notification to the supervisory authority Appointment of a DPO
Full-time DPO Larger companies Multinational corporations, where the DPO is in charge for the affiliates as well (privacy assistants!) Part-time DPO Smaller companies The DPO may hold another job in the firm External DPO Not employee but external consultant Appointment Options
Corporate privacy management by DPO Competitive advantage (own privacy chief) Harmonised level of protection in multinational organisations Self-regulatory approach allows for global enforcement Data protection controls can be improved Two compliance institutions instead of one Supervisory authorities can be unburdened Self-monitoring Prior checking Notification The Value of Corporate DPOs
European Commission DP Conference in September Evaluationof EU-Directive Not a radical revision Guidance for a better harmonisation More uniform and consistent application in member states Among other things: Simplification of notification Member states and EU candidates should give companies the opportunity to appoint DPOs, thus avoiding the necessity to notify to the supervisory authority. Simplification of Notification