1 / 14

gdd

gdd. Gesellschaft für Datenschutz und Datensicherung e.V. German Association for Data Protection and Data Security Christoph Klug ATTORNEY AT LAW Phone: +49-228/694313 Fax: +49-228/695638 Internet: http://www.gdd.de E-Mail: klug@gdd.de. Non-profit organisation

rod
Download Presentation

gdd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. gdd Gesellschaft für Datenschutzund Datensicherung e.V. German Association for Data Protection and Data Security Christoph Klug ATTORNEY AT LAW Phone: +49-228/694313 Fax: +49-228/695638 Internet: http://www.gdd.de E-Mail: klug@gdd.de

  2. Non-profit organisation Founded in 1976 (1. German Data Protection Act) Mission for over 25 years: Help members to comply with privacy provisions Support data protection officers Educationand training (seminars, conferences, publications) Guidance (legal, technical, organisational problems) Lobbying: reasonable, effective and practicable data protection gdd

  3. Membership-Development1990 - 2002 Stand: 10.10.2002

  4. Membership structure Stand: 10.10.2002

  5. Definition: A natural person, appointed by the controller of personal data, who shall independently assure that personal data is processed in a correct and lawful manner. Business title: Data protection officer (Germany, Netherlands) Personal data representative (Sweden) Corporate privacy officer (US) Data Protection Official

  6. Self-regulation (corporate self-monitoring) More effective data protection Corporate compliance institution in addition to Supervisory authority Avoidance of unnecessary bureaucracy Unburden supervisory authorities Simplify notification Prior checking by DPO instead of DP-authority The DPO-Concept

  7. German model implemented in EU-Directive (95/46/EG) Art. 18 (2): Simplification of or exemption from notification where the controller, in compliance with the national law which governs him, appoints a data protection official, responsible in particular for: ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive keeping a register of processing operations carryed out by the controller ... Origins of the DPO

  8. Ensure a lawful handling of personal data by the controller (company) including Prior checking when specific risks - Article 20 (2) Supervision ofprocessors acting on behalf of the controller Compliance with (internal) corporate privacy provisions such as codes of conduct or contractual obligations Familiarise staff with data protection provisions Transparency Keep public register (any person) Data subject rights (information, access, correction etc.) Main Tasks

  9. Article 18 (2) EU-Directive Position to exercise his functions in complete independence Independent inspection of processing operations Necessary powers, means, premises, facilities, equipment, resources Makes own professional judgement In case of grievances: report to head of the controller Controller remains responsible for legal processing Independent Status

  10. No requirements in EU-Directive Only vague requirements by German law: “necessary know-how and reliability“ GDD-Study: Adequate knowledge of data protectionlaw Adequate knowledge of ITfunctions Basic knowledge of business-related economics Specific knowledge of the company`s internal structuresand processing operations Qualifications

  11. EU-Directive: Appointment in compliance with the national law Germany: Depending on size companies have to formally appoint DPO in writing. Mandatory appointment for public bodies. Netherlands:DPO (optional) has to be registered with the DP-Commission (list) Sweden: DPO (optional). Practice: notification to the supervisory authority Appointment of a DPO

  12. Full-time DPO Larger companies Multinational corporations, where the DPO is in charge for the affiliates as well (privacy assistants!) Part-time DPO Smaller companies The DPO may hold another job in the firm External DPO Not employee but external consultant Appointment Options

  13. Corporate privacy management by DPO Competitive advantage (own privacy chief) Harmonised level of protection in multinational organisations Self-regulatory approach allows for global enforcement Data protection controls can be improved Two compliance institutions instead of one Supervisory authorities can be unburdened Self-monitoring Prior checking Notification The Value of Corporate DPOs

  14. European Commission DP Conference in September Evaluationof EU-Directive Not a radical revision Guidance for a better harmonisation More uniform and consistent application in member states Among other things: Simplification of notification Member states and EU candidates should give companies the opportunity to appoint DPOs, thus avoiding the necessity to notify to the supervisory authority. Simplification of Notification

More Related