Data Processor Officer (DPO): choose T.net
The GDPR introduces the concept of «Data Processor», distinguishing it from the «Data Controller». The «controller» is the entity that establishes the purposes, the conditions and the processing means of personal data, while the «processor» is the one who processes personal data on behalf of controller.
The Data Processor is a role covered from the majority of Cloud Service Providers. Until some time ago the EU Directive obliged and subjected only the Data Controller to sanctions; with the GDPR the Data processor is committed to implement technical and organizational measures to be compliant to the Regulation itself, as identified by the Data Controller and in all the cases in which personal data processing is entrusted to third parties.
DPO, who is obliged to have one:
– Public Authorities;
– The organizations who carry out systematic monitoring on a large scale;
– The organizations who develop personal sensitive data processing on a large scale;
Who is the DPO
– He is an external professional, in terms of autonomy and impartiality, who helps the controller in his legal task (independence, authority, manager expertise: as shown in art. 38 and 39);
– He DOES NOT substitute the Controller, who is the effective responsible of compliance to GDPR;
– He HAS NOT to be a «controller» of one of the processes (e. g. NOT the HR Manager, nor the IT Manager);
– He has not to be an employee with a fixed-term contract;
– He has not to be supervised by a director, but he has to have a direct confrontation with the Top Management;
What does DPO do
– He composes and updates the DPIA;
– He carries out Audits and «sensitizes» the human resources;
– He suggests the Controller and the Processor about their tasks related to GDPR;
– He receives notices from people interested by data processing and processes the information itself;
– He coordinates meetings about Data Protection;
– He cooperates with Authorities;
– He has to have his own independence and his own budget;
– He has to have the chance to carry out an audit;
– He has to have the chance to access resources for his own training and the one of human resources.
The role should have a two years minimum duration and a maximum one of 5 years, with a renewal and conditions rigorously identified for the revocation only in extremely serious cases.
T.net is the right choice for Data Processor Officer of Private Companies and Public Administrations