Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Does a small Biotech company need to have a DPO?

  Quote
Guest
Guest user Created:   Oct 15, 2020 Last commented:   Oct 19, 2020

Does a small Biotech company need to have a DPO?

I have a question for you. Does a small Biotech company need to have a DPO?

Thanking you in advance.

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Oct 19, 2020

Article 37 GDPR states that the controller shall appoint a Data Protection Officer (DPO) when(a)the processing is carried out by a public authority or body;(b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (included health data).

Therefore, if your company process data on a large scale or there is regular and systematic monitoring of data subjects on a large scale (i.e. an app tracking Covid infections) you should appoint a DPO. You need to consider the scale of processing rather than the dimension of the company. Large scale is not defined by the GDPR, however, the former Working Party (a group study established the EU Commission) defined few examples of large scale (https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf):

  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking viatravel cards)
  • processing of real time geo-location data of customers of an international fast food chain forstatistical purposes by a processor specialised in these activities
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers

Here you can find more information:

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 15, 2020

Oct 19, 2020

Suggested Topics

Guest user Created:   May 04, 2021 EU GDPR
Replies: 3
0 1

Need for consent