Article 37*

Article 37 – Tasks of the data protection officer

Commission Proposal

1. The controller or the processor shall entrust the data protection officer at least with the following tasks:

(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;
(d) to ensure that the documentation referred to in Article 28 is maintained;
(e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer’s competence, co-operating with the supervisory authority at the latter’s request or on the data protection officer’s own initiative;
(h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose  of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.

Go to related Recital 75

Go to related Recital 129

EDRi’s proposed amendment

1. The controller or the processor shall entrust the data protection officer at least with the following tasks:

(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design and, data protection by default according to Article 23, and data security according to Articles 30 to 32, and to the information of data subjects and their requests in exercising their rights according to Articles 11 to 20 under this Regulation;
(d) to ensure that the documentation referred to in Article 28 is maintained;
(e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer’s competence, co-operating with the supervisory authority at the latter’s request or on the data protection officer’s own initiative;
(h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.

Justification

Augmenting the list in point (c) of paragraph 1 with references to the relevant Articles ensures greater clarity and certainty.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
%d bloggers like this: