Does the DPO for a US company processing EU subject data have to be located in the EU? Or can the DPO be the US company’s privacy officer? And when does the DPO have to register in the EU?
Assign topic to the user
EU GDPR DATA PROTECTION OFFICER ONLINE COURSE
Become a certified Data Protection Officer according to GDPR.
Enroll for free 
EU GDPR DATA PROTECTION OFFICER ONLINE COURSE
Become a certified Data Protection Officer according to GDPR.
Enroll for free
EU GDPR DATA PROTECTION OFFICER ONLINE COURSE
Become a certified Data Protection Officer according to GDPR.
Enroll for free
No, the DPO can be located in the US, EU or elsewhere. The DPO is an independent figure who has to deal with the company board, the Supervisory Authority, and the Data subjects. Because of the required independence, it is better to keep separate the position of the company’s privacy officer and DPO, yet it is important they communicate in order to guarantee better compliance.
You can register the DPO in the EU when you appoint an EU representative (in case article 27 GDPR applies to you). If your company does not have to appoint an EU representative under article 27 GDPR, your DPO shall work with all EU Supervisory Authorities and it is not required to be registered yet the contacts must be publicly available.
You can find more information about the DPO and how to hire the right DPO here:
• The role of the DPO in light of the General Data Protection Regulation https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
• How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/
According to article 27 GDPR company has to appoint an EU representative when the company:
• is offering of goods or services to persons in the EU (whether a payment is requested or not);
or
• is monitoring persons’ behavior which takes place inside the EU
Such obligation shall not apply to processing which is:
• occasional
• does not include large-scale processing of special categories of data (health, political opinion, sex orientation, etc.) or data relating to criminal convictions and offenses
• processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing;
• processing is by a public body
You can find more information here:
• Article 27 GDPR: https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/• Agreement for the Appointment of an EU Representative: https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/
Comment as guest or Sign in
Feb 21, 2020