Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is recommended to appoint a DPO.
The Serbian Act on Personal Data Protection (“DPA”) has not defined in detail what the specific qualifications should be, in terms of required professional knowledge, experience, etc. It hasn’t defined the manner in which these criteria should be determined either. However, it is indubitably that the DPO has to be a person with adequate knowledge, expertise and experience with issues prescribed by the DPA and GDPR.
The obligations of the DPO, as defined by the DPA, are the following:
- to inform and advise the controller or the processor and employees who carry out the processing of their obligations;
- to monitor the application of the DPA and other laws and internal regulations related to the protection of personal data. This includes dealing with issues of responsibility-sharing, raising awareness, and training all employees involved in processing operations, as well as controls;
- to provide advice where requested regarding the data protection impact assessment and monitor its performance;
- to represent a contact point for cooperation with the Commissioner, and consult with him on issues related to processing, including informing and obtaining the opinion of the Commissioner.
Right or Duty to Designate the DPO?
According to the DPA, designating a DPO is the obligation of all public authorities that act as controllers and processors, except for courts acting in their judicial capacity. Furthermore, the controller and the processor must designate the DPO in any case where:
- the core activities of the controller or the processor consist of processing operations which, by their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; and
- the core activities of the controller or the processor consist of large-scale processing of special categories of data or personal data related to criminal convictions and offences.
In other cases, the controller and the processor certainly have the right, i.e., the possibility to determine the DPO.
Also, the DPO may be important for both the controller and the processor, as well as the persons to whom the data relates to – based on the fact that there will be a person with adequate knowledge, expertise, and experience who will manage personal data processing. Thus, in order to ensure the protection of personal data, it is recommended that each controller and processor take advantage of the opportunity and determine the DPO.
The Choice Between a Resident or Non-resident and an Individual or a Legal Entity?
The DPA strictly stipulates that only an individual can be designated as the DPO. However, the DPA does not impose restrictions on the citizenship of that person – the DPO can be resident or non-resident without any limitations.
The Choice Between an In-House DPO or an Externally Engaged Person?
The DPA allows the controller and the processor to designate a staff member as a DPO or to hire an external person to perform these tasks on the basis of a service contract. In any case, it is necessary to ensure the independence and autonomy of the DPO in the performance of their duties.
It should definitely be taken into consideration that, although a trusted staff member of the controller or the processor may seem like a better option due to their acquaintance with the business processes, an externally engaged person can offer more expertise, but also perform their duties with more independence and impartiality.
In addition to that, an externally engaged person will often form a team of experts as opposed to an in-house DPO, who will be one of the employees (most often the only one) with knowledge in the area of personal data protection.
To conclude, having a DPO in the company structure is desirable for the proper handling of personal data arising from the company’s working processes. Therefore, even when there is no obligation for it, it is advisable to appoint a DPO. This will make sure that the flow of personal data, as well as the data subjects, will be professionally, impartially, and independently protected.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Katarina Zivkovic, Senior Associate, and Katarina Kracun, Junior Associate Samardzic, Oreski & Grbovic