The GDPR specifies the function and responsibilities of the Controller and Processor and specifies that an organisation in many cases will appoint a “Data Protection Officer” (DPO) this is a new role and the tasks that the DPO is responsible for are specified in the Regulation.
The responsibilities of a controller and processor are clarified in Article 4 (section 7 & 8).
“‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member States law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
The Data Controller has to register with the Information Commissioner Office (ICO) on an annual basis.
“’Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
’The Data Protection Officer’ Article 38 states that the DPO must be involved in a timely manner in all issues that relate to the protection of personal data. The processor and controller must support the DPO in performing tasks and ensure that they are independent and they may not be dismissed or penalised for performing the tasks.
The DPO must be contactable by data subjects with regard to all issues relating to the processing of their personal data. The DPO shall be bound by secrecy concerning the performance of these tasks.
The DPO may be given other tasks to perform provided that they do not result in a conflict of interest.
The duties of the DPO are to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation. They are to monitor compliance with the Regulation and to provide advice where requested as regards the data protection impact assessment in accordance with Article35.
They are also to cooperate with the supervisory authority and to act as a contact point for the supervisory authority.
The organisation has appointed the Soha Compliance Manager as Data Protection Officer.