Skip to main content
SpringerLink
Log in

Data Protection Officer

  • Chapter
  • First Online:
Dictionary of Statuses within EU Law

Abstract

The main innovation introduced by the General Data Protection Regulation (GDPR) is the principle of accountability that aims to guarantee compliance with data protection principles and implies a cultural change that endorses transparent data protection, privacy policies and user control, internal clarity and procedures for operationalising privacy and high-level, demonstrable responsibility to external stakeholders and data protection authorities.

GDPR requires the controller to be responsible for making sure all privacy principles are adhered to. Moreover, the GDPR requires that the organisation and organism demonstrate compliance with all the principles of the regulation: principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. The designation of Data Protection Officer (DPO) represents one of the ways to incorporate the accountability principle. The aim of this paper is to fulfil the gap in existing literature by strengthening the relevance of the role of the DPO in helping controllers and processors comply with the European Union law.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    European Parliament, the Council and the Commission (2012), Charter of Fundamental Rights of the European Union, (2012/C 326/02), 26.10.2012, O.J. (C 326) 391, Brussels.

  2. 2.

    See, for example, joined cases C-92/09 and C-93/09, Volker and Markus Schecke GbR and Hartmut Eifert v. Land Hessen, 2010, E.C.R. I-11063.

  3. 3.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, also called General Data Protection Regulation (GDPR), 2016, O.J. (L 119) 1.

  4. 4.

    European Parliament and the Council of the European Union, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, 2016, O.J. (L 119) 89.

  5. 5.

    The Article 29 Data Protection Working Party (WP29) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The composition and purpose of WP29 was set out in Article 29 of the Data Protection Directive 95/46/EC, and it was launched in 1996.

  6. 6.

    The GDPR does not define what constitutes a ‘public authority or body.’ The WP29 considers that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law. In such cases, the designation of a DPO is mandatory. WP29 Guidelines on Data Protection Officers adopted on 13 December 2016.

  7. 7.

    Core activities are intended to be ‘the key operations necessary to achieve the controller’s or processor’s goals’; however, they should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. See GDPR, supra n. 3.

  8. 8.

    The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but the concept of ‘monitoring the behaviour of data subjects’ is mentioned in recital 2415 and clearly includes all forms of tracking and profiling on the internet. However, the notion of monitoring is not restricted to the online environment, and online tracking should only be considered by way of example. WP29 interprets ‘regular’ as meaning one or more of the following: ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times and constantly or periodically taking place. Whereas, WP29 interprets ‘systematic’ as meaning one or more of the following: occurring according to a system; pre-arranged, organised or methodical; taking place as part of a general plan for data collection and carried out as part of a strategy.

  9. 9.

    According to the WP29 Guidelines, the contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO easily: a postal address, a dedicated telephone number, and a dedicated e-mail address, etc.

  10. 10.

    See art. 37 (5) GDPR, supra n. 3.

  11. 11.

    See Recital 97 GDPR, supra n. 3.

  12. 12.

    Article 38(2) of the GDPR requires the organization to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.’ The data protection function must be effective and sufficiently well-resourced in relation to the data processing being carried out.

  13. 13.

    See the website: https://www.gpdp.it/.

  14. 14.

    In case of a disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice. The DPO must be promptly consulted once a data breach or another incident has occurred.

References

Download references

Author information

Authors and Affiliations

  1. Rights and Science Jean Monnet Centre of Excellence, Department of Medicine, University of Perugia, Perugia, Italy

    Anna Maria Emili

Authors
  1. Anna Maria Emili
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Law, University of Perugia, Perugia, Italy

    Antonio Bartolini

  2. Department of Medicine, University of Perugia, Perugia, Italy

    Roberto Cippitani

  3. National Research Council, IFAC Institute, Sesto Fiorentino, Firenze, Italy

    Valentina Colcelli

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Emili, A.M. (2019). Data Protection Officer. In: Bartolini, A., Cippitani, R., Colcelli, V. (eds) Dictionary of Statuses within EU Law. Springer, Cham. https://doi.org/10.1007/978-3-030-00554-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00554-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00553-5

  • Online ISBN: 978-3-030-00554-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation