Expert Advice Community

Guest

DPO and Data breach

  Quote
Guest
Guest user Created:   Aug 27, 2019 Last commented:   Aug 27, 2019

DPO and Data breach

1. How do I know if I need to appoint a DPO?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Aug 27, 2019

Answer:

Appointing a DPO is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

If you want to find out more about the role of the DPO check out this free webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

2. Can the Security Officer be also the DPO?

Answer:

In theory, yes. However, I would advise against such an approach as the roles would be conflicting in certain areas. The role of the Security Officer is to protect the company information assets using whatever means necessary but the DPO needs to ensure that the means of processing personal data are lawful, transparent and proportionate.

3. In a case of a data breach now do I know if I notify the data protection authority?

Answer:

You first need to assess the severity of the data breach taking into account how that breach can affect the rights and freedoms of the data subjects involves. There are three scenarios:

a) If the breach does not affect the rights and freedoms of the data subjects the breach does not need to be reported;

b) If the breach poses a risk to the rights and freedoms of the data subjects the breach needs to be reported to the Supervisory Authority;

c) If there is a high risk then ten both the data subject and the Supervisory Authority needs to be notified.

If you want to learn more about data breaches check out this webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/).

4. Does the data breach need to happen in the EU or it can be outside EU as well?

Answer:

Yes, it does. If the data subjects affected by the data breach are in the EU the breach needs to be notified as described in question 3. This is one of the instances where the extraterritorial reach of the GDPR kicks in.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 27, 2019

Aug 27, 2019