We’re only starting with the GDPR toolkit, but I’ve an important question that you may be able to answer. The template mention the DPO a lot and we decided to not appoint one as we don’t have to, how should we go about it? Who should be there instead? (separately I wonder if there’s a specific requirement regarding the format of the record for the decision not to have a DPO?)
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Andrei Hanganu
Jan 05, 2018
Answer:
The EU GDPR requires the appointment of a formal Data Protection Officer (DPO) only in certain cases which are listed under article 37 (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/). So, if the company you are representing does not find itself in the in the situations described in the article mentioned above you don’t need to have a dedicated DPO and you are not required to have any document in place to back up this fact.
This, however, doesn't mean that the company can leave aside the EU GDPR. Data protection specific tasks can be given to different members of the organizations such as Legal Counsels, HR specialists , IT security specialists etc. or the tasks can be outsourced to a specialized third party.
Just make sure that those members of the organization you select for the data protection tasks have at least some knowledge about the EU GDPR and other relevant data protection laws.
Comment as guest or Sign in
Jan 05, 2018
Jan 05, 2018
Jan 05, 2018