Author

ALERT PRO HR: One week remaining to designate a Data Protection Officer

2018.07.27

31 July 2018 is the deadline for the appointment of a Data Protection Officer (DPO) by these entities that are required to do so under the GDPR. It is, therefore, the final moment to carry out an analysis whether the requirement to appoint a DPO applies to you and, if so, to designate the appropriate person. If a DPO is appointed, the President of the Personal Data Protection Office (PPDPO) should be notified of this fact within 14 days.

Until 1 September 2018:

  • The role of the DPO is fulfilled by the persons who were Information Security Administrators (ISA) on 24 May 2018 and became DPOs by virtue of the law starting on 25 May 2018,
  • Entities that are not required to appoint a DPO can remove the DPO that has been fulfilling the DPO role by virtue of the law without the need to notify the PPDPO,
  • The PPDPO should be notified about the reappointment of a person to the DPO position if you want them to serve on a continuing basis. 

The entities that are required to designate a DPO must notify the PPDPO of the removal of a DPO and the appointment of another person following the procedure laid out in the ‘new’ Personal Data Protection Act that has been in force since 25 May 2018.

ATTENTION! 
The GDPR allows an individual to perform other tasks and duties in addition to the DPO role. In no case, however, can this lead to a conflict of interest. The DPO cannot be responsible for determining the methods of processing of the data that they are to verify and overview. In the case of internal DPOs who are employed part-time, or in the case of external entities that combine the DPO function with other tasks or who serve in this capacity for several entities, care must be taken to ensure that the DPO can allocate sufficient time to perform the tasks for the controller. It is important to put appropriate provisions in this respect into the agreement, but also to ensure appropriate allocation of tasks in practice. 

Failure to appoint a DPO in spite of there being a requirement to do so can result in severe administrative sanctions: non-financial ones (which could even include a total ban on data processing) and financial ones 
(up to 10 000 000 euro or up to 2% of global turnover from the previous financial year, whichever is higher). 

Even if you are not required to appoint a DPO, you should consider doing so voluntarily. In such a case, however, you are not bound by any deadlines, which means that you should closely analyze all the pros and cons in order to choose the best solution for your organization. 
 

KONTAKT

r. pr. dr Dominika Dörre-Kolasa

dominika.dorre-kolasa@raczkowski.eu

Other publications

The new platform - The Word online
2018.12.28
Publications
Peaceful Christmas!
2018.12.20
Publications
New corporate criminal liability bill means companies will have to implement…
2018.12.20
Publications
Bartłomiej Raczkowski has been titled of a “Lawyer of the 30 Years”
2018.12.05
Publications
E-book - Vademecum PPK
2018.11.23
Publications
ALERT PRO HR: Constitutional Tribunal keeps the cap on social security contributions
2018.11.15
Publications