Artikkel 37
Designation of the data protection officer

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 37 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 37 keyboard_arrow_up

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner

Vis direktivets fortaletekst relatert til art. 37 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 37 keyboard_arrow_up

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(54) Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;

GDPR

The least we can say, is that Member States have struggled to agree on the assumptions in which the appointment of a data protection officer was required.

Initially, Article 37 of the proposed Regulation determines the conditions, under which a protection officer data had to be designated for both the public sector and the private sector, depending on either the number of employees or the fact that the processing involved regular and systematic observation of the data subjects, because of its nature, scope or purposes.

Instead of paragraph 1 of Article 37, the second proposed version of the regulation set out in a pithy way that the controller may or shall designate a data protection officer if the EU law or the law of a Member State so requires...

The final version of the Regulation has finally reintroduced three cases in which the designation of a data protection officer is mandatory:

- when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (Art. 37, paragraph 1, a);

- when the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37, paragraph 1, b);

- when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences (Art. 37, paragraph 1, c).

The Regulation provided then that a group of undertakings may also designate a single data protection officer. Such possibility is also available to the authorities and the public entities, taking into account their organizational structure and size (paragraph 3). The notion of a group of undertaking is to be understood "as a controlling undertaking and its controlled undertakings" (Art. 4 (19)).

The controller, the processor or associations or other bodies representing categories of controllers or processors may or, where required by the EU law or the law of a Member State, must designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

Paragraph 5 specifies the qualifications that the data protection officer must meet:

- he or she must have expert knowledge of data protection law and practices;

- be able to perform the tasks assigned by Article 39 (including in particular the awareness of workers of the protection of data, control on the processing compliance, correspondence with the national supervisory authority...).

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract (paragraph 6).

The Regulation also requires the controller - or the processor - to publish the contact details of the data protection officer and communicate them to the supervisory authority.

Direktivet

The Directive, in its Article 18, had introduced the possibility for the controller to designate a data protection officer. The designation of such an officer is then a condition for simplification, even derogation from the obligation of notification to the national supervisory authority.

Recital 49 stated that in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification where “a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects. Whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence”.

Utfordringer

The final text of this provision is the result of a compromise. The goal is to avoid the  administrative and organizational burden that was too heavy for small or medium-sized enterprises. The Member States were also notified on the possibility of extending the cases of designation.

 

However, to properly manage the obligations resulting from the Regulation, any enterprise must designate an internal controller that will not have a special status, which can impose difficulties, including as to its neutrality or ability to impose the necessary measures to ensure compliance of processing.

The cases of mandatory designations must be subject to interpretation of the Regulation that will not always be simple in practice.

 

Forordning
1e 2e

Art. 37

1.   The controller and the processor shall designate a data protection officer in any case where:

a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

2.   A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3.   Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4.   In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5.   The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6.   The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7.   The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

 

 

1. forslag close

Art. 35

1.           The controller and the processor shall designate a data protection officer in any case where:

(a)     the processing is carried out by a public authority or body; or

(b)     the processing is carried out by an enterprise employing 250 persons or more; or

(c)     the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

2.           In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer.

3.           Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.

4.           In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.

5.           The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

6.           The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.

7.           The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.

8.           The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.

9.           The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.

10.         Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.

11.         The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.

2. forslag close

Art. 35

1. The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer (...).

2. A group of undertakings may appoint a single data protection officer.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. (...).

5. The (...) data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37, particularly the absence of any conflict of interests. (...).

6. (...)

7. (...). During their term of office, the data protection officer may, apart from serious grounds under the law of the Member State concerned which justify the dismissal of an employee or civil servant, be dismissed only if the data protection officer no longer fulfils the conditions required for the performance of his or her tasks pursuant to Article 37.

8. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

9. The controller or the processor shall publish the contact details of the data protection officer and communicate these to the supervisory authority (...).

10. Data subjects may contact the data protection officer on all issues related to the processing of the data subject’s data and the exercise of their rights under this Regulation.

11. (...)

Direktiv close

Art. 18 

(...)

2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions:

- where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or

- where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

Art. 37

Utpeking av et personvernombud

1. Den behandlingsansvarlige og databehandleren skal utpeke et personvernombud når

a) behandlingen utføres av en offentlig myndighet eller et offentlig organ, bortsett fra domstoler som opptrer innenfor rammen av sin domsmyndighet,

b) den behandlingsansvarliges eller databehandlerens kjernevirksomhet består av behandlingsaktiviteter som på grunn av sin art, sitt omfang og/eller formål krever regelmessig og systematisk monitorering i stor skala av registrerte, eller

c) den behandlingsansvarliges eller databehandlerens kjernevirksomhet består av behandling i stor skala av særlige kategorier av opplysninger i henhold til artikkel 9 samt personopplysninger om straffedommer og lovovertredelser som nevnt i artikkel 10.

2. Et konsern kan utnevne ett personvernombud, forutsatt at alle virksomhetene har enkel tilgang til vedkommende.

3. Dersom den behandlingsansvarlige eller databehandleren er en offentlig myndighet eller et offentlig organ, kan det utpekes ett personvernombud for flere av nevnte myndigheter eller organer, idet det tas hensyn til deres organisasjonsstruktur og størrelse.

4. I andre tilfeller enn dem nevnt i nr. 1 kan eller, dersom det kreves i unionsretten eller i medlemsstatenes nasjonale rett, skal den behandlingsansvarlige eller databehandleren eller sammenslutninger og andre organer som representerer kategorier av behandlingsansvarlige eller databehandlere, utpeke et personvernombud. Personvernombudet kan handle på vegne av nevnte sammenslutninger og andre organer som representerer behandlingsansvarlige eller databehandlere.

5. Personvernombudet skal utpekes på grunnlag av faglige kvalifikasjoner og særlig på grunnlag av dybdekunnskap om personvernlovgivning og praksis på området samt evne til å utføre oppgavene nevnt i artikkel 39.

6. Personvernombudet kan være en ansatt hos den behandlingsansvarlige eller databehandleren eller utføre oppgavene på grunnlag av en tjenesteavtale.

7. Den behandlingsansvarlige eller databehandleren skal offentliggjøre kontaktopplysningene til personvernombudet og meddele disse til tilsynsmyndigheten.

Gamle loven close

Pol.forskriften § 7-12 Personvernombud

Datatilsynet kan samtykke i at det gjøres unntak fra meldeplikt etter personopplysningsloven § 31 første ledd, dersom den behandlingsansvarlige utpeker et uavhengig personvernombud som har i oppgave å sikre at den behandlingsansvarlige følger personopplysningsloven med forskrift. Personvernombudet skal også føre en oversikt over opplysningene som nevnt i personopplysningsloven § 32.

close