Tag: Data protection officer

Brazil changes new Data Protection Law and creates a Data Protection Authority

15. January 2019

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.

Spain publishes new data protection law

11. December 2018

On December 6, 2018, the new Spanish data protection law was published in the “Boletín Oficial Del Estado”. The “Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales” (Organic Law on Data Protection and Digital Rights Guarantee) has been approved with 93% parliamentary support and implements the GDPR into national law.

The new law contains a number of regulations that will affect data processing operations. For example that the consent of a data subject is not enough to legitimate the processing of special categories of data if the main purpose is e.g. to identify an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic data.

The law also includes a list of cases in which entities must appoint a data protection officer for example entities that operate networks and provide electronic communications services, education centres and public and private universities. All businesses have up to 10 days after (mandatory or voluntary) appointing a data protection officer to notify the Spanish Data Protection Authority of that fact.

However, one of the biggest changes is the introduction of new digital rights such as the right to universal access to the internet; the right to digital education; the right to privacy and use of digital devices in the workplace; the right to digital disconnection in the workplace; the right to privacy in front of video surveillance devices and sound recording at work; the right to digital will.

Being IT-Manager and Data Protection Officer? German Data Protection Authority sees this as a conflict of interest

24. November 2016

Background information:

Due to the fact that the German Federal Data Protection Act states that companies must appoint a Data Protection Officer if at least ten persons are involved in the automated processing of personal data, companies are asked to appoint an employee as an internal Data Protection Officer or appoint an external Data Protection Officer. In general, the Data Protection Officer needs to have the necessary knowledge of data protection law and must also be reliable and independent. Furthermore, a Data Protection Officer is reliability and independency in case he/she does not have other obligations which could lead to a conflict of interest.

What happened?

A German Data Protection Authority just fined a company as it appointed an internal Data Protection Officer who was also the IT-Manager. The Data Protection Authority argued that the position of an IT-Manager is incompatible with the position of the Data Protection Officer due to the fact that the Data Protection Officer would be required to monitor himself/herself. The Data Protection Authority explained that such self-monitoring is contradictory to the required independency that is necessary.

This is a very important statement as the upcoming GDPR requires the appointment of a Data Protection Officer as well and states further that it is not allowed that any further tasks and oblgations of the Data Protection Officer result in a conflict of interests – Having in mind that a violation of this may result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher.

White Paper on the role of DPOs according to the GDPR

22. November 2016

A White Paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation was just released by the Centre for Information Policy Leadership at Hunton & Williams LLP.

The White Paper provides guidance and recommendations in terms of the implementation requirements of the GDPR concerning the role of the Data Protection Officer, DPO.

According to the privacy and information Blog of Hunton & Williams, the mentioned White Paper aims

  • “to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December and
  • to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).”

About 28,000 data protection officers are requiered to be appointed under the GDPR

20. April 2016

Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.

Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.