SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Supervisory authority for data protection

  Quote
Guest
Guest user Created:   Oct 18, 2018 Last commented:   Oct 18, 2018

Supervisory authority for data protection

We are an organisation, which provides consultancy for ISMS and other information security related products in Indian sub-continent. During one of our implementation for an IT Organisation in Sri Lanka and India , we got a query on GDPR. The organisation has appointed a Data Protection Officer. Now we are not sure who will be the Supervisory Authority in India and Sri Lanka for Data Protection. Can you please let me know from where we can get this information.
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Oct 18, 2018

Answer:

The EU GDPR states that is compulsory for a legal entity to appoint a DPO only if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.

Also since the organization is in Sri Lanka and India, you first need to identify if the EU GDPR is applicable. The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case, the processing does not take place “in the Union,” nor is the individual “in the Union”.

If your customer falls under both criteria above it would need to appoint a representative in the EU and the competent Supervisory Authority would be the one where the representative is established.

To learn more about the duties of a DPO check out our EU GDPR Data Protection Officer Course (https://training.advisera.com/se/eu-gdpr-data-protection-officer-course/).
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 18, 2018

Oct 18, 2018

Suggested Topics

Guest user Created:   Dec 23, 2020 EU GDPR
Replies: 3
0 0

Filling templates

Guest user Created:   Apr 12, 2018 EU GDPR
Replies: 2
0 0

Supervisory authority

Guest user Created:   Mar 14, 2022 EU GDPR
Replies: 1
0 0

Data transfers to 3rd countries