Data Protection Officer: Appointment, Responsibilities and Liabilities
DPO under GDPR
The duties of a Data Protection Officer include: Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities. Therefore, the employee acting as Data Protection Officer must not be dismissed or penalised due to his fulfilment of his tasks. Despite his monitoring function, the company itself remains responsible for complying with data protection laws. Therefore it has to involve the Data Protection Officer in all issues which relate to the protection of personal data “properly and in a timely manner”. When a Data Protection Officer is appointed, his superior must publish his contact data, and communicate his appointment and contact data to the data protection supervisory authorities. If a company voluntarily appointed a DPO they also must adhere to the criteria and provisions laid out above. Also note that the wilful or negligent failure to appoint a Data Protection Officer despite a legal obligation is an infringement subject to fines.1
Art. 37 GDPR- Designation of the data protection officer
- The controller and the processor shall designate a data protection officer in any case where:
• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10. - A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
- Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
- In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection
officer. 2The data protection officer may act for such associations and other bodies representing controllers or processors. - The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
https://gdpr-info.eu/issues/data-protection-officer/
- The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.2
Art. 38 GDPR- Position of the data protection officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- 1The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. 2He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. 3The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
- 1The data protection officer may fulfil other tasks and duties. 2The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.3
Art. 39 GDPR- Tasks of the data protection officer The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
https://gdpr-info.eu/art-37-gdpr/
https://gdpr-info.eu/art-38-gdpr/
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.4
Germany
Appointment in public bodies-
Section 5
(3) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Section 7.
(4) The data protection officer may be a staff member of the public body, or fulfil the tasks on the basis of a service contract.
(5) The public body shall publish the contact details of the data protection officer and communicate them to the Federal Commissioner for Data Protection and Freedom of Information.
Section 6 Position
(1) The public body shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
(2) The public body shall support the data protection officer in performing the tasks referred to in Section 7 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
(3) The public body shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall directly report to the highest management level of the public body. The data protection officer shall not be dismissed or penalized by the public body for performing his or her tasks.
(4) The dismissal of the data protection officer shall be permitted only by applying Section 626 of the Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts which give the public body just cause to terminate without notice. After the activity as data protection officer has ended, the data protection officer may not be terminated for a year following the end of appointment, unless the public body has just cause to terminate without notice.
(5) Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under Regulation (EU) 2016/679, this Act and other data protection legislation. The data protection officer shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from this obligation by the data subject.
(6) Where in the course of their activities data protection officers become aware of data for which the head of a public body or a person employed by such a body has the right to refuse to give evidence for
https://gdpr-info.eu/art-39-gdpr/
employment-related reasons, this right shall also apply to the data protection officer and his or her assistants. The person to whom the right to refuse to give evidence applies for employment-related reasons shall decide whether to exercise this right unless it is impossible to effect such a decision in the foreseeable future. Where the right of the data protection officer to refuse to give evidence applies, his or her files and other documents shall not be subject to seizure.
Responsibilities-
Section 7 Tasks
(1) In addition to the tasks listed in Regulation (EU) 2016/679, the data protection officer shall have at least the following tasks:
- to inform and advise the public body and the employees who carry out processing of their obligations pursuant to this Act and other data protection legislation, including legislation enacted to implement Directive (EU) 2016/680;
- to monitor compliance with this Act and other data protection legislation, including legislation enacted to implement Directive (EU) 2016/680, and with the policies of the public body in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice as regards the data protection impact assessment and monitor its implementation pursuant to Section 67 of this Act;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Section 69 of this Act, and to consult, where appropriate, with regard to any other matter.
In the case of a data protection officer ordered by a court, these tasks shall not refer to the action of the court acting in its judicial capacity.
(2) The data protection officer may perform other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
(3) The data protection officer shall in the performance of his or her tasks give due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Appointment in private bodies:
Section 38
Data protection officers of private bodies
(1) In addition to Article 37 (1) (b) and (c) of Regulation (EU) 2016/679, the controller and processor shall designate a data protection officer if they constantly employ as a rule at least ten persons dealing with the automated processing of personal data. If the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, or if they commercially
process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, they shall designate a data protection officer regardless of the number of persons employed in processing.
(2) Section 6 (4), (5), second sentence, and (6) shall apply; Section 6 (4) however shall apply only if designating a data protection officer is mandatory.
Section 40
(6) The supervisory authorities shall advice and support the data protection officers to meet their typical needs. They may demand the dismissal of a data protection officer if he or she does not have the expert knowledge needed to perform his or her tasks or if there is a serious conflict of interests as referred to in Article 38 (6) of Regulation (EU) 2016/679.5
Liabilities- No specific statutory liabilities as such but contractual liabilities may be imposed.
United Kingdom
Appointment
Section 69: Designation of a data protection officer
(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.
(2) When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—
(a) The proposed officer’s expert knowledge of data protection law and practice, and (b)The ability of the proposed officer to perform the tasks mentioned in section 71.
(3) The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.
(4) The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.
Section 70: Position of data protection officer
(1) The controller must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
(2) The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to—
(a) Perform the tasks mentioned in section 71, and
(b) Maintain his or her expert knowledge of data protection law and practice.
https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0316
(3) The controller—
(a) Must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71;
(b) Must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests;
(c) Must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71.
(4) A data subject may contact the data protection officer with regard to all issues relating to— (a)The processing of that data subject’s personal data, or
(b)The exercise of that data subject’s rights under this Part.
(5) The data protection officer, in the performance of this role, must report to the highest management level of the controller.
Responsibilities-
Section 71: Tasks of data protection officer
(1) The controller must entrust the data protection officer with at least the following tasks—
(a) informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person’s obligations under this Part,
(b) providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,
(c) co-operating with the Commissioner,
(d) acting as the contact point for the Commissioner on issues relating to processing, including in relation to the consultation mentioned in section 65, and consulting with the Commissioner, where appropriate, in relation to any other matter,
(e) monitoring compliance with policies of the controller in relation to the protection of personal data, and
(f) monitoring compliance by the controller with this Part.
(2) In relation to the policies mentioned in subsection (1)(e), the data protection officer’s tasks include—
(a) assigning responsibilities under those policies, (b)raising awareness of those policies,
(c) training staff involved in processing operations, and
(d) conducting audits required under those policies.
(3) In performing the tasks set out in subsections (1) and (2), the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Liabilities-
Section 119: Inspection of personal data in accordance with international obligations
(6) It is an offence—
(a) intentionally to obstruct a person exercising the power under subsection (1), or
(b) to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.
Section 144: False statements made in response to information notices
It is an offence for a person, in response to an information notice—
(a)to make a statement which the person knows to be false in a material respect, or (b)recklessly to make a statement which is false in a material respect.
Section 148: Destroying or falsifying information and documents etc (1)This section applies where a person—
(a) has been given an information notice requiring the person to provide the Commissioner with information, or
(b) has been given an assessment notice requiring the person to direct the Commissioner to a document, equipment or other material or to assist the Commissioner to view information.
(2) It is an offence for the person—
(a) to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material, or
(b) to cause or permit the destruction, disposal, concealment, blocking or (where relevant) falsification of all or part of the information, document, equipment or material,
with the intention of preventing the Commissioner from viewing, or being provided with or directed to, all or part of the information, document, equipment or material.
(3) It is a defence for a person charged with an offence under subsection (2) to prove that the destruction, disposal, concealment, blocking or falsification would have occurred in the absence of the person being given the notice.
Section 198: Liability of directors etc
(1) Subsection (2) applies where—
(a) an offence under this Act has been committed by a body corporate, and
(b) it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of—
(i) a director, manager, secretary or similar officer of the body corporate, or
(ii) a person who was purporting to act in such a capacity.
(2) The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
(3) Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member’s management functions in relation to the body as if the member were a director of the body corporate.6
Is the DPO responsible for compliance?
The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation’s data protection obligations.7
France
On October 11, 2018, the French data protection authority (the “CNIL”) announced that it adopted two referentials (i.e., guidelines) on the certification of the data protection officer (“DPO”). View
the announcement (in French). As a practical matter, both referentials are intended to apply to DPOs located in France or who speak French. The referentials include:
• a certification referential that sets forth the conditions regarding the admissibility of DPO applications, and lists 17 qualifications that the DPO must have in order to be certified as a DPO by a certification body approved by the CNIL; and
• An accreditation referential that outlines the criteria organizations must satisfy in order to be accredited by the CNIL as certification bodies.
View the certification referential and the accreditation referential (both in French).
The certification of a DPO based on the standards of the CNIL’s referential is not a prerequisite in order to be appointed as a DPO with the CNIL and fulfill the responsibilities of a DPO. It is a purely voluntary process to assist in demonstrating compliance with the GDPR requirements. Article 37(5) of the GDPR requires that the DPO “shall be designated on the basis of professional qualities and, in
6 http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
7https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/
particular, expert knowledge of data protection law and practices and the ability to fulfill the [DPO] tasks.”
In the CNIL’s view, the certificate is a vote of confidence not only for the organization that has a certified DPO, but also for its clients, vendors, employees or agents, since that organization will be able to demonstrate that the DPO has the required level of expertise and skills.
The certification will only be available to individuals (and not to legal persons).
To be eligible for certification, candidates will need to fulfill one of the following conditions:
• professional experience of at least 2 years in projects, activities or tasks related to data protection and the tasks of a DPO; or
• professional experience of at least 2 years in any field, with at least 35 hours of data protection training administered by a training body.
The test will be conducted in French only.
Italy
The GDPR does not provide for any specific liability for the DPO. However, the Art. 29 Working Party addresses this issue in its Guidelines on Data Protection Officers of 13 December 2016. These guidelines state that the controller or the processor remains responsible for compliance with the data protection laws, and accordingly it will be up to the controller or processor to demonstrate compliance, regardless of how much autonomy the DPO is granted.
Therefore, even though the DPO is responsible for assisting the controller or processor in monitoring the internal compliance, the DPO is not personally responsible for any non-compliance with the GDPR. In addition, the GDPR further clarifies that the DPO should not be dismissed or penalised by the controller or the processor for performing his or her tasks.
This does not mean, however, that DPOs are not liable for their activities. The DPO remains liable for non-compliance with general employment, contracts, civil (or tort, within a common law scenario) and criminal rules, as also set out by the domestic laws of the relevant member states.
Accordingly, the DPO can still be dismissed or penalised based not only on obvious grounds unrelated to the DPO role such as theft or harassment, but also on other grounds related to poor performance (or non-performance) of DPO functions.
The DPO is appointed by the controller or the processor on the basis of a consultancy or an employment contract. For example, in Italy, in addition to the breach of the relevant contract provisions, the DPO may be responsible for breach of duty of care (diligenza) required for the tasks to be performed among other things.
The standards for such duty of care are set at a very high level, given the importance of the DPO role and the relevance of data protection activities. Furthermore, the DPO may be responsible for breach
8 https://www.huntonprivacyblog.com/2018/10/18/cnil-adopts-referentials-dpo-certification/
of the loyalty obligation (obbligo di fedeltà) towards the employer, for instance in all cases in which a breach of secrecy or confidentiality obligations occurs.
Without prejudice to the DPO’s duty of care, consistent with that set out for the data processors, the DPO shall not be held liable where losses are caused by strict compliance with the data controller’s instructions.
As for responsibilities under criminal law, as a general principle in Italy the data controller
(and not the DPO) may be held liable for the crimes set forth under the Data Protection Code (DPC), including the unlawful processing of personal data (trattamento illecito di dati), or the failure to adopt minimum security measures. That said, certain criminal law provisions may remain applicable also to a DPO. For instance, a DPO may be still be held directly liable for violation of secrets or for false statements before the Italian Data Protection Authority.
The above conclusions will apply regardless of whether the DPO is a corporate entity or an individual. That said, it can also be argued any assessment of a DPO’s responsibilities should be linked to the resources they have been allocated. In this respect the GDPR provides that, among other things, companies should support the DPO by providing all resources necessary to carry out their tasks and maintain their expert knowledge. Such knowledge will need to be proportionate to the sensitivity, complexity and volume of data processed by the company.
Should DPOs be put in a position where they are unable to adequately perform their role, for instance with adequate staff and funds for training, their degree of responsibility will likely be reduced. To this end, DPOs should accurately document requests they make for resources to properly carry out their tasks. This might include requests for more team members or time to dedicate their full attention to DPO tasks without being absorbed by other prevailing company duties. In this respect, the WP29 Guidelines may provide a very useful guidance.9
South Africa
Responsibilities-
Section 4
(1) An information officer must, in addition to the responsibilities referred to in section 55(1) of the Act, ensure that-
(a) a compliance framework is developed, implemented, monitored and maintained
(b) a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
(c) a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
9 https://blogs.dlapiper.com/privacymatters/italy-will-data-protection-officers-liable/
(d) internal measures are developed together with adequate systems to process requests for information or access thereto; and
(e) internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
(2) The information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.
Section 55: Duties and responsibilities of an information officer
- An information officer’s responsibilities include-
(a) The encouragement of compliance , by the body, with the conditions for the lawful processing of personal information
(b) Dealing with requests pursuant to this Act
(c) Working with the regulator in relation to the investigations conducted pursuant to chapter 6 in relation to the body.
(d) Otherwise ensuring compliance of the body with the provisions of this Act
(e) And other measures as may be prescribed - Officers must take up their duty in terms of this Act only after the responsible party has registered them with the regulator.
Appointment-
Section 56: Designation and delegation of deputy information officers
Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of-
(a) such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities set out in section 55(1) of this Act;
(b) any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
Liabilities-
Section 59: Failure to notify processing subject to prior authorisation
If section 58(1) or (2) is contravened, the responsible party is guilty of an offence and liable to a penalty asset out in section 107.
Section 100
Any person who hinders obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the direction of the Regulator in the performance of the
Regulator’s duties and functions under this Act, is guilty of an offence.
Section 101: Breach of confidentiality.
Any person, who contravenes the provisions of section 54, is guilty of an offence.
Section 102: Obstruction of execution of warrant.
Any person who—
(a) Intentionally obstructs a person in the execution of a warrant issued under section 82; or
(b) fails without reasonable excuse to give any person executing such a warrant such assistance as he or she may reasonably require for the execution of the warrant, is guilty of an offence.
Section 103: Failure to comply with enforcement or information notices.
(1) A responsible party which fails to comply with an enforcement notice served in terms of section 95, is guilty of an offence.
(2) A responsible party which, in purported compliance with an information notice served in terms of section 90—
(a) makes a statement knowing it to be false; or
(b) recklessly makes a statement which is false, in a material respect, is guilty of an offence. Section 105: Unlawful acts by responsible party in connection with account number.
(1) A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence.
(2) The contravention referred to in subsection (1) must—
(a) be of a serious or persistent nature; and
(b) likely cause substantial damage or distress to the data subject.
(3) The responsible party must—
(a) have known or ought to have known that—
(i) there was a risk that the contravention would occur; or
(ii) such contravention would likely cause substantial damage or distress to the data subject; and
(b) have failed to take reasonable steps to prevent the contravention.
(4) Whenever a responsible party is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that he or she has taken all reasonable steps of 2013 to comply with the provisions of section 8.
(5) ‘‘Account number’’, for purposes of this section and section 106, means any unique identifier that has been assigned—
(a) to one data subject only; or
(b) jointly to more than one data subject, by a financial or other institution which enables the data subject, referred to in paragraph (a), to access his, her or its own funds or to access credit facilities or which enables a data subject, referred to in paragraph (b), to access joint funds or to access joint credit facilities.
Section 106: Unlawful acts by third parties in connection with account number.
(1) A person who knowingly or recklessly, without the consent of the responsible party—
(a) obtains or discloses an account number of a data subject; or
(b) procures the disclosure of an account number of a data subject to another person, is, subject to subsection (2), guilty of an offence.
(2) Whenever a person is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that—
(a) the obtaining, disclosure or procuring of the account number was— (i) necessary for the purpose of the prevention, detection, investigation or proof of an offence; or (ii) required or authorised in terms of the law or in terms of a court order;
(b) he or she acted in the reasonable belief that he or she was legally entitled to obtain or disclose the account number or, as the case may be, to procure the disclosure of the account number to the other person;
(c) he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible party had known of the obtaining, disclosing or procuring and the circumstances of it; or
(d) in the particular circumstances the obtaining, disclosing or procuring was in the public interest.
(3) A person who sells an account number which he or she has obtained in contravention of subsection (1), is guilty of an offence.
(4) A person who offers to sell the account number of a data subject which that person— (a) has obtained; or (b) subsequently obtained, in contravention of subsection (1), is guilty of an offence.
(5) For the purposes of subsection (4), an advertisement indicating that an account number of a data subject is or may be for sale is an offer to sell the information.
Section 107 Penalties
Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of—
(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or
(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.10
10 https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf
Note: Sections 59, 103 and 105 are only applicable to a responsible party. POPIA defines
‘‘responsible party’’ as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Therefore, if an information officer plays no role in determining the means and purpose of data processing, he shall incur no liability under these sections.
Brazil
Appointment and responsibilities-
Article 41: Data Protection Officer The controller shall indicate a data protection officer.
Paragraph 1- The identity and contact data of the data protection officer shall be publicly, clearly and objectively disclosed, preferably in the controllers’ website.
Paragraph 2- The activities of the data protection officer consist of the following:
I – to accept complaints and communications from the data subjects, provide clarifications and take measures;
II – to receive communications from the supervisory authority and take measures;
III – to instruct the employees and contractors of the entity on the practices to be adopted in relation to the personal data protection; and
IV – to carry out any other duties established by the controller or in supplementary rules.
Paragraph 3- The supervisory authority may establish supplementary rules on the definition and duties of the data protection officer, including the cases in which there is no need for appointing such data protection officer, in accordance with the nature and size of the entity or the volume of data processing operations.11
Liabilities- No statutory liabilities as such but contractual liabilities may be imposed.
Singapore
DPO Responsibilities
An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.
Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management’s
11 http://portaldaprivacidade.com.br/wp-content/uploads/2018/08/LGPD-english-version.pdf
responsibility and that the outsourcing service should cover only the operational aspects of the DPO function.
Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:
• Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
• Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
• Manage personal data protection related queries and complaints;
• Alert management to any risks that might arise with regard to personal data; and
• Liaise with the PDPC on data protection matters, if necessary.12 Appointment-
Section 11
(3) An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
Liabilities-
Section 51
(1) A person shall be guilty of an offence if he makes a request under section 21 or 22, as the case may be, to obtain access to or to change the personal data about another individual without the authority of that individual.
(2) Any person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both.
(3) An organisation or person commits an offence if the organisation or person —
(a) with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing —
(i) personal data; or
(ii) information about the collection, use or disclosure of personal data;
(b) obstructs or hinders the Commission, an inspector or an authorised officer in the performance of any function or duty, or the exercise of any power, under this Act; or
(c) makes a statement, or furnishes any information or document, to the Commission, an inspector or an authorised officer under this Act, which the organisation or person knows, or ought reasonably to know, to be false or misleading in any material particular.
12 https://www.pdpc.gov.sg/Organisations/Data-Protection-Officers
(4) An organisation or person that commits an offence under subsection (3)(a) is liable —
(a) in the case of an individual, to a fine not exceeding $5,000; and
(b) in any other case, to a fine not exceeding $50,000.
(5) An organisation or person that commits an offence under subsection (3)(b) or (c) is liable —
(a) in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
(b) in any other case, to a fine not exceeding $100,000.
Section 52
(1) Where an offence under this Act committed by a body corporate is proved —
(a) to have been committed with the consent or connivance of an officer; or
(b) to be attributable to any neglect on his part, the officer as well as the body corporate shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
(2) Where the affairs of a body corporate are managed by its members, subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
(4) Where an offence under this Act committed by an unincorporated association (other than a partnership) is proved —
(a) to have been committed with the consent or connivance of an officer of the unincorporated association or a member of its governing body; or
(b) to be attributable to any neglect on the part of such an officer or member,
the officer or member as well as the unincorporated association shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
(5) In this section —
“body corporate” includes a limited liability partnership; “officer” —
(a) in relation to a body corporate, means any director, partner, member of the committee of management, chief executive, manager, secretary or other similar officer of the body corporate and includes any person purporting to act in any such capacity; or
(b) in relation to an unincorporated association (other than a partnership), means the president, the secretary, or any member of the committee of the unincorporated association, or any person holding a position analogous to that of president, secretary or member of such a committee and includes any person purporting to act in any such capacity;
“partner” includes a person purporting to act as a partner.
(6) Regulations may be made to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any body corporate or unincorporated association formed or recognised under the law of a territory outside Singapore.
Liability of employers for acts of employees
Section 53
(1) Any act done or conduct engaged in by a person in the course of his employment (referred to in this section as the employee) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.
(2) In any proceedings for an offence under this Act brought against any person in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by an employee of that person, it is a defence for that person to prove that he took such steps as were practicable to prevent the employee from doing the act or engaging in the conduct, or from doing or engaging in, in the course of his employment, acts or conduct, as the case may be, of that description.
Section 56
Any person guilty of an offence under this Act for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 for every day or part thereof during which the offence continues after conviction.
Section 60
No liability shall be incurred by —
(a) any member or officer of a relevant body;
(b) any person authorised, appointed or employed to assist a relevant body;
(c) any person who is on secondment or attachment to a relevant body;
(d) any person authorised or appointed by a relevant body to exercise the relevant body’s powers, perform the relevant body’s functions or discharge the relevant body’s duties or to assist the relevant body in the exercise of its powers, the performance of its functions or the discharge of its duties under this Act or any other written law; or
(e) any inspector or any person authorised, appointed or employed to assist him in connection with any function or duty of the inspector under this Act,
as a result of anything done (including any statement made) or omitted to be done with reasonable care and in good faith in the course of or in connection with —
(i) the exercise or purported exercise of any power under this Act or any other written law;
(ii) the performance or purported performance of any function or the discharge or purported discharge of any duty under this Act or any other written law; or
(iii) the compliance or purported compliance with this Act or any other written law.13
New Zealand
Appointment-
Section 23 Privacy officers
It shall be the responsibility of each agency to ensure that there are, within that agency, 1 or more individuals whose responsibilities include—
(a) the encouragement of compliance, by the agency, with the information privacy principles:
(b) dealing with requests made to the agency pursuant to this Act:
(c) working with the Commissioner in relation to investigations conducted pursuant to Part 8 in relation to the agency:
(d) otherwise ensuring compliance by the agency with the provisions of this Act.
Liabilities-
Section 114F Offence in relation to transfer prohibition notice
Every person who, without reasonable excuse, fails or refuses to comply with a transfer prohibition notice commits an offence and is liable on conviction to a fine not exceeding $10,000.
Section 126 Liability of employer and principals
(1) Subject to subsection (4), anything done or omitted by a person as the employee of another person shall, for the purposes of this Act, be treated as done or omitted by that other person as well as by the first-mentioned person, whether or not it was done with that other person’s knowledge or approval.
(2) Anything done or omitted by a person as the agent of another person shall, for the purposes of this Act, be treated as done or omitted by that other person as well as by the first-mentioned
person, unless it is done or omitted without that other person’s express or implied authority, precedent or subsequent.
(3) Anything done or omitted by a person as a member of any agency shall, for the purposes of this Act, be treated as done or omitted by that agency as well as by the first-mentioned person, unless it is done or omitted without that agency’s express or implied authority, precedent or subsequent.
13 https://sso.agc.gov.sg/Act/PDPA2012
(4) In proceedings under this Act against any person in respect of an act alleged to have been done by an employee of that person, it shall be a defence for that person to prove that he or she or it took such steps as were reasonably practicable to prevent the employee from doing that act, or from doing as an employee of that person acts of that description.14
Canada
Appointment-
Schedule 1
4.1 Principle 1
Accountability An organization is responsible for personal information under its control and shall
designate an individual or individuals who are accountable for the organization’s compliance
with the following principles.
Liabilities-
Section 28 Offence and punishment
Every organization that knowingly contravenes subsection 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) or that obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of
(a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or
(b) an indictable offence and liable to a fine not exceeding $100,000.
Note: According to section 2, “Organization” includes an association, a partnership, a person and a trade union. Therefore, liability will only be incurred if the data protection officer falls within the purview of the term “organization”. Liability can probably be avoided if specific clauses are included in the contract to that effect.15
http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html
