The data protection reform in the EU is serious. So serious, the European Union actually imposes through the new regulation a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
There is an entire section (Section 4 of Chapter IV) in the proposed regulation dedicated to the “data protection officer”. It builds on Article 18(2) of Directive 95/46/EC which provided the possibility for Member States to introduce such requirement as a surrogate of a general notification requirement.
According to Article 35 of the proposed regulation, a data protection officer shall be designated in the following cases:
– when the processing is carried out by a public authority or body;
– when the processing is carried out by an enterprise employing 250 persons or more;
– the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
The Regulation, at Article 35(5) also imposes strict characteristics for the person who will be designated data protection officer, as he or she must be appointed “on the basis of “professional qualities and, in particular, expert knowledge of data protection”. By which we understand that companies and public institutions are not allowed to simply name one of their current employees in such a position, unless the current employee receives adequate qualifications in the data protection field.
Article 35(7) establishes a minimum period of employment to 2 years, while Article 35(10) states that data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.
A quite independent position
The data protection officer will enjoy as much independence as possible in the context of an employment relationship. As such, Article 36(2) imposes to the controller or processor to “ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor”.
These developments are huge in the data protection field and they show that EU takes as serious as possible the threats of intruding in individuals’ private life by a weak protection of their personal data.
Tomorrow I’ll write about the specific tasks a data protection officer will have, according to the proposed regulation.