The Law on the Protection of Personal Data ("Official Gazette of RS", No. 87/2018) - hereinafter: "the Law", and following the example of the Regulation (EU) - 2016/679 - General Data Protection Regulation ("GDPR"), introduced the term and consequently the function – Data Protection Officer ("DPO").
Controllers and processors are obliged to appoint a DPO in cases determined by the Law, where:
- the processing is carried out by a public authority or body (state authorities, public companies, institutions, etc.);
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (a company engaged in video surveillance, online monitoring, internet or mobile providers, etc.) or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data (e.g. hospital) and personal data relating to criminal convictions and offences.
In other cases, the appointment of a DPO is not mandatory, but is preferred. DPO must have the necessary knowledge in the subject area, which facilitates the achievement of compliance, communication with competent authorities and with data subjects.
The Data Protection Working Group 29 WP, an independent European body that issues opinions and guidelines regarding the implementation of the GDPR, recommends an internal analysis of the need to appoint a DPO in order to act in accordance with the accountability principle, except in cases where it is obvious that there is no obligation to appoint.
Designation and position
DPO shall be designated on the basis of professional qualities – his/her expert knowledge, practices and the ability to fulfill the tasks stipulated by the Law. We believe that the DPO should be aware and familiar with the provisions of the GDPR as a regulation based on which the Law was written, that he/she shall follow the application of European regulations and opinions, as well as the practice of European courts in this area. The wording "the ability to fulfill the tasks stipulated by the Law" speaks in favor of the fact that the independence of this function is necessary. The position of DPO is incompatible with the position of e.g. the company director or the person in charge of HR. If a DPO should simultaneously represent the interests of the company that hires him and the interests of data subjects (employees, job candidates, company clients), there would be a conflict of interest and the necessary independence of this function could not be achieved.
DPO can be engaged internally (employee) or externally (based on a contract). In ideal circumstances, the position of DPO should be provided by the controller internally, and it should be performed by a person with experience in the field of personal data protection as their sole and full-time job. However, the reality is different - there are not enough professional staff on one hand, nor do employers decide to provide a special position with adequate compensation , especially when it comes to companies that do not have a legal obligation to appoint a DPO. That is why the option of hiring an external expert (e.g. a data protection lawyer) to perform this function is becoming increasingly common. An expert who is not part of the organization that hires him has an independent position and the necessary knowledge, which is convenient for controllers, but it is especially important that this person is familiar with the data flow in the company at all times, and that he/she is available to all data subjects.
In accordance with the Law, as well as with the provisions of the GDPR, a group of companies may designate one DPO, provided that the DPO is equally accessible to every member of the group. The above means that the DPO who performs this function for a company in Serbia should be available to communicate, in the Serbian language, with data subjects, the controllers, as well as with the competent authority for data protection - the Commissioner for Information of Public Importance and Protection of Personal Data ("the Commissioner"). Our previous practice has shown that it is more efficient if the function of the DPO is performed locally, especially if it is a company from Serbia that is part of a group of companies with headquarters in the EU. Complex corporate procedures, lack of knowledge of local regulations and/or languages make it difficult to perform this function "remotely", and it is often the case that the DPO is not equally accessible to every member of the group, which is a legal obligation.
The controller and the processor shall ensure that DPO is involved in all issues which relate to the protection of personal data, as well as provide him/her with the necessary resources, access to data and processing operations, training and independence.
The controller or processor is obliged to publish the contact details of the DPO and submit them to the Commissioner who keeps records of DPOs on the prescribed form.
Tasks and responsibility
The DPO shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations related to personal data protection;
- to monitor compliance with this Law, other regulations and with internal policies of the controller or processor in relation to the protection of personal data;
- to provide advice where requested as regards the data protection impact assessment (“DPIA“) and monitor its performance;
- to cooperate with the Commissioner.
Additionally, DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
The Law separately prescribes the obligation of DPO to have due regard to the risk associated with processing operations in the performance of his or her tasks, taking into account the nature, scope, context and purposes of processing. In addition, in order for DPO to be able to provide advice in relation to DPIA and to monitor its performance, it is necessary that the DPO, in addition to the aforementioned knowledge, also possesses technical knowledge in the field of risk assessment.
The provisions of the Law protect the DPO – he/she shall not be dismissed or penalised by the controller or the processor for performing his tasks. On the other hand, the Law does not prescribe the reasons for which a DPO may be terminated from the function. We believe that the employment contract or other contract should define situations that would be considered a violation of work obligations, i.e. reasons for termination of the position.
In connection with the issue of responsibility, DPO shall directly report to the highest management level of the controller or the processor for fulfilment oh his/her tasks. The above means that the obligation to act in accordance with the provisions of the Law is the obligation of the controller, i.e. the processor, and not the DPO. The controller has the obligation to implement appropriate technical, organizational and personnel measures, as well as the obligation to perform a DPIA. The controller or processor must respect the principles of processing, including the accountability principle.
The penal provisions of the Law provide for misdemeanour fines both for the controllers/processors and for the responsible person. As the scope of the tasks of a DPO prescribed by the Law has an advisory context, we believe that the DPO could not be held liable for a misdemeanour, especially due to the fact that the final decisions regarding the protection of personal data are made by other persons at the controller, i.e. the processor, and not the DPO.
The role of the DPO is crucial in establishing personal data protection standards. The efficient operation of a qualified person contributes to the compliance of companies with legal obligations, as well as to the strengthening of citizens' trust in the manner their data is processed.
WP 29 Guidelines on DPOs https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100
By Andrea Cvetanovic, Senior Associate, JPM Serbia
