The responsible person is an authorized person who supervises the protection of personal data during the processing of personal data by the controller or processor. The responsible person shall be designated on the basis of their professional qualities, in particular their expert knowledge of data protection law and practices, and their ability to perform the tasks referred to in Article 39 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
When performing their tasks, the responsible person shall take due account of the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing. In the performance of their tasks, they shall be bound by secrecy or confidentiality regarding information in accordance with Union or Member State law.
Is the appointment of a responsible person an obligation or a right?
According to Article 37 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, the controller and the processor shall designate a responsible person in each case where:
§ processing is carried out by a public authority or a body governed by public law, except for courts acting in their judicial capacity,
§ the main activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale,
§ the main activities of the controller or processor are processing special categories of data pursuant to Article 9 on a large scale or processing personal data relating to criminal convictions and offenses pursuant to Article 10.
A group of undertakings may designate a single controller if the controller is easily accessible from each establishment.
Where the controller or processor is a public authority or a body governed by public law, a single controller may be designated for several such authorities or bodies, taking into account their organizational structure and size.
In cases other than those referred to in paragraph 1, the responsible person may be designated or, where required by Union or Member State law, shall be designated by the controller or processor or by associations and other bodies representing categories of controllers or processors. The responsible person may act on behalf of such associations and other bodies representing controllers or processors.
Who can be a responsible person?
The responsible person shall be independent of the controller or processor. They report directly to the highest management of the controller or processor. They may be employed by the controller or processor, or they may perform their tasks as an external responsible person on the basis of a service contract.
The responsible person shall be designated on the basis of their professional qualities, in particular their expert knowledge of data protection law and practices, and their ability to perform the tasks.
The controller and processor are required to publish, for example on their website, the contact details of the responsible person and notify them to the personal data protection authority.
What are the tasks of the responsible person?
According to Article 37 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, the data protection officer has the following tasks:
- to provide information and advice to the controller or processor and to employees who carry out processing on their obligations under this Regulation and other Union or Member State law relating to data protection;
- monitoring compliance with this Regulation, with other Union or Member State legislation relating to personal data protection and with the rules of the controller or processor in relation to personal data protection, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits,
- providing advice where requested as regards the assessment of the impact on data protection and monitoring its performance pursuant to Article 35,
- cooperating with the supervisory authority,
- acting as the contact point for the supervisory authority on issues relating to processing, including prior consultation referred to in Article 36 and, where appropriate, consultation on any other matter.
