The role of the Data Protection Officer within the GDPR mechanism

News

On the occasion of the European Data Protection Day (28 January), the importance of continuing the process of implementing the measures established by the GDPR is reiterated, in order to ensure adequate and effective protection of personal data.

According to data provided by the National Authority for the Supervision of Personal Data Processing, in 2023, in Romania there were more than 4,700 complaints, referrals and notifications regarding security incidents, with an increase of about 10% compared to the previous year and a decrease of 18% compared to 2020. Of the 76 fines applied in 2023, with a value of more than 2 million lei, more than 90% of the fines were applied based on GDPR. The same statistics show us that although controllers continued to declare Data Protection Officers in 2023, registering 2,048 officers appointed by public and private controllers, one of the measures recommended on the occasion of the European Data Day 2024 is the discussion on the role and importance of a key player in this process: the Data Protection Officer (DPO or DPO).

The role of the Data Protection Officer is to assist the controller or processor in all matters relating to the protection of personal data. In particular, the DPO shall:

  • inform and advise the controller or processor and their employees on their obligations under data protection law;
  • monitor the organisation's compliance with all data protection laws, including through audits, awareness-raising activities and training of staff involved in processing operations;
  • to act as a point of contact for requests from individuals regarding the processing of their personal data and the exercise of their rights;
  • be involved by the organisation in an appropriate and timely manner.

At a theoretical level, the role and importance of the DPO in the GDPR mechanism is well defined in Article 37 of the GDPR. In practice, it is found that the DPO is superficially assessed and has an unclear role. Although they are obliged to appoint DPOs, companies choose to make appointments from among existing employees who are not trained in this area or who are not provided with a platform for learning and independence in fulfilling the role, and thus the whole process of implementing effective measures is flawed. In order for the DPO to best ensure compliance with data protection requirements, controllers and processors must provide the necessary resources, in terms of training and budget, to enable them to properly perform their duties. At a time when a number of pieces of EU digital legislation are being drafted or have recently entered into force, the role of the DPO is evolving and clarity of duties and recognition of the importance of the role is fundamental.

Hațegan Attorneys urges all organisations to carefully consider GDPR compliance to avoid the significant penalties of non-compliance.