After the first set of guidelines on data transfers to third countries, the second set of guidelines has now been issued – this time concerning data protection officers.
The Danish Data Protection Agency, the Danish Agency for Digitisation, the Danish Business Authority and the Danish Ministry of Justice have now issued the second set of the guidelines on the provisions of the General Data Protection Regulation which will be issued during the period until January 2018. This time, the guidelines concern DPOs. Click here to see a Danish version of the guidelines.
The guidelines explain the requirements of the GDPR with regard to appointment of DPOs and describe the tasks, qualifications, position and involvement of DPOs.
From a HR law perspective, it is established, by way of example, that private businesses will typically process sensitive personal data (e.g. data on health and trade union membership), but that this does not in itself require the business to appoint a DPO.
In connection with the above, the Article 29 Working Party (A29 WP), which consists of representatives from the individual national European data protection agencies, has already issued an announcement concerning the role of the DPO, which is available here.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.