DPO and Data breach

Answer:

Appointing a DPO is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

If you want to find out more about the role of the DPO check out this free webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

2. Can the Security Officer be also the DPO?

Answer:

In theory, yes. However, I would advise against such an approach as the roles would be conflicting in certain areas. The role of the Security Officer is to protect the company information assets using whatever means necessary but the DPO needs to ensure that the means of processing personal data are lawful, transparent and proportionate.

3. In a case of a data breach now do I know if I notify the data protection authority?

Answer:

You first need to assess the severity of the data breach taking into account how that breach can affect the rights and freedoms of the data subjects involves. There are three scenarios:

a) If the breach does not affect the rights and freedoms of the data subjects the breach does not need to be reported;

b) If the breach poses a risk to the rights and freedoms of the data subjects the breach needs to be reported to the Supervisory Authority;

c) If there is a high risk then ten both the data subject and the Supervisory Authority needs to be notified.

If you want to learn more about data breaches check out this webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/).

4. Does the data breach need to happen in the EU or it can be outside EU as well?

Answer:

Yes, it does. If the data subjects affected by the data breach are in the EU the breach needs to be notified as described in question 3. This is one of the instances where the extraterritorial reach of the GDPR kicks in.