The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

• Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
• Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
• Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
• Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
• Make sure that individuals’ personal data is handled in a secure way;
• Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

• Be compliant
• Data controller or data processor
• Data protection basics

• Any processing of personal data must be lawful, fair and transparent.
• Only collect personal data for specified, explicit and legitimate purposes. The processing of an individual’s data must be strictly limited to the purpose(s) initially established, and therefore not processed for subsequent or other purpose(s) that are incompatible with the initial purposes.
• Only process personal data that is necessary and proportionate in light of the purpose envisaged.
• All personal data you process must be accurate and kept up to date. Inaccurate personal data must be rectified or erased.
• The storage of individuals’ personal data must be limited in time, in light of the purpose for which this data was collected and processed. As such, individuals’ personal data must be deleted or anonymised once this data is no longer necessary.
• The processing of individuals’ data must be done in a secure way. In this sense, robust cybersecurity controls, must be put in place to ensure that individuals’ data is adequately protected.

Finally, the controller is accountable. This means it is responsible for and must be able to demonstrate compliance with the principles above.

More information:

• Data protection basic

Data controllers can only process personal data in one of the following circumstances:

• with the consent of the individuals concerned;
• where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
• to meet a legal obligation under EU or national legislation;
• where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
• to protect the vital interests of an individual;
• for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.

In addition, the GDPR establishes additional conditions for the processing of sensitive data.

More information:

• Process personal data lawfully

The task of the DPO include, among others:

• to inform and advise the organisation and its employees on data protection compliance;
• to monitor data protection compliance;
• to provide advice on requests concerning the data protection impact assessment (DPIA);
• to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
• to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

More information:

• Data Protection Officer

A valid contract between the data controller and data processor is obligatory under the GDPR. An infringement can be subject to an administrative fine up to 10M€ or up to 2% of the total annual turnover of a company, whichever is higher.

To help guide you when setting up a controller-processor agreement, the Danish and Slovenian data protection authorities, as well as the European Commission, have developed template agreements.

More information:

• Data controller or data processor

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

• may not give instructions to the DPO with regard to the performance of their DPO duties;
• may not penalise or dismiss the DPO for performing their tasks.

More information:

• Data Protection Officer

Processing personal data means any type of activity (processing operation) performed on or with individuals’ personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, inquiry, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The GDPR gives individuals control over the processing of their personal data. In order to do this, transparency is key. This means you have to inform individuals whose data you process about your processing operations and the purposes. In other words, you have to explain who processes their data, but also how and why. Only if the use of personal data is 'transparent' for those involved, can they assess possible risks and make decisions about their personal data.

Under the GDPR you are obliged to share the following information with individuals:

• the identity and contact details of the controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.)
• the contact details of the controller;
• the contact details of the DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• Information on whether the data will be transferred outside the European Economic Area (EEA) (where applicable: the existence or not of an adequacy decision or reference to the appropriate safeguards and how this information can be made available to data subjects);
• the categories of personal data processed, when the data is not obtained from the individual.

In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:

• the retention period or, where this is not possible, the criteria used to determine this period;
• the right to request access, erasure, rectification, restriction, objection and portability of personal data;
• the right to lodge a complaint with a data protection authority;
• if the legal basis for the processing is consent: the right to withdraw consent at any time;
• in the case of automated decision-making, relevant information about the underlying logic and the intended consequences of the processing for the data subject;
• the source of the personal data (if you did not directly receive it from the individual concerned;
• whether the individual is required to provide the personal data (by law or by contract or to enter into a contract) and what the consequences of refusing to provide the data are.

More information:

• Respect individuals’ rights

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

• the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
• a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
• systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

• Be compliant