Nascleanúint
RGCS (GDPR) > Airteagal 37. An t-oifigeach cosanta sonraí a ainmniú
Íoslódáil PDF

Airteagal 37 RGCS (GDPR). An t-oifigeach cosanta sonraí a ainmniú

Article 37 GDPR. Designation of the data protection officer

1. Ceapfaidh an rialaitheoir agus an próiseálaí oifigeach cosanta sonraí in aon cheann de na cásanna seo a leanas:

1. The controller and the processor shall designate a data protection officer in any case where:

(a) tá an phróiseáil á déanamh ag údarás nó comhlacht poiblí, ach amháin cúirteanna ag gníomhú faoina gcumas breithiúnach;

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

Téacsanna gaolmhara

(b) is é atá i bpríomhghníomhaíochtaí an rialaitheora nó an phróiseálaí oibríochtaí próiseála lena gceanglaítear, de bhua chineál, raon feidhme agus/nó chuspóirí na n-oibríochtaí, go ndéantar faireachán rialta agus córasach mórscála ar na hábhair sonraí; nó

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

Téacsanna gaolmhara

(c) is é atá i bpríomhghníomhaíochtaí an rialaitheora nó an phróiseálaí próiseáil mhórscála ar chatagóirí speisialta sonraí pearsanta de bhun Airteagal 9 agus ar shonraí a bhaineann le ciontuithe coiriúla agus cionta dá dtagraítear in Airteagal 10.

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Téacsanna gaolmhara

2. Féadfaidh grúpa gnóthas oifigeach cosanta sonraí amháin a cheapadh ar choinníoll go bhfuil rochtain éasca ar oifigeach cosanta sonraí ó gach ceann de na bunaíochtaí.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

Téacsanna gaolmhara

3. I gcás inar údarás nó comhlacht poiblí é an rialaitheoir nó an próiseálaí, féadfar an t-aon oifigeach amháin cosanta sonraí a cheapadh i gcás na n-údarás éagsúil nó na gcomhlachtaí éagsúla sin, agus struchtúr eagraíochtúil agus méid na n-údarás nó na gcomhlachtaí á gcur san áireamh.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

Téacsanna gaolmhara

4. I gcásanna seachas na cásanna dá dtagraítear i mír 1, féadfaidh an rialaitheoir nó an próiseálaí nó comhlachais agus comhlachtaí eile a dhéanann ionadaíocht thar ceann catagóirí rialaitheoirí nó próiseálaithe, oifigeach cosanta sonraí a cheapadh, nó i gcás inar gceanglaítear sin le dlí an Aontais nó le dlí Ballstáit, ceapfaidh siad é. Féadfaidh an t-oifigeach cosanta sonraí gníomhú do chomhlachais agus do chomhlachtaí eile mar sin a dhéanann ionadaíocht thar ceann rialaitheoirí nó próiseálaithe.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. Ceapfar an t-oifigeach cosanta sonraí bunaithe ar bhonn cháilíochtaí gairmiúla an duine agus, go háirithe, ar an méid saineolais atá ag an duine maidir le dlí agus cleachtais um chosaint sonraí agus ar chumas an duine na cúraimí dá dtagraítear in Airteagal 39 a chomhlíonadh.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

Téacsanna gaolmhara

6. Féadfaidh sé gur comhalta foirne de chuid an rialaitheora nó an phróiseálaí é an t-oifigeach cosanta sonraí, nó d’fhéadfadh an t-oifigeach na cúraimí sin a chomhlíonadh ar bhonn conartha seirbhíse.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. Foilseoidh an rialaitheoir nó an próiseálaí ainm agus sonraí teagmhála an oifigigh cosanta sonraí agus cuirfidh sé iad in iúl don údarás maoirseachta.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Tráchtaireacht ISO 27701 Recitals Dlí Treoirlínte & Cásanna Leave a comment
Tráchtaireacht

(EN) The article explains when and under what conditions a Data Protection Officer (DPO) should be appointed or hired. In most cases, at least one of the following conditions is sufficient for the company to be required to have a DPO:

  • if data processing is performed by state authorities (except for courts)

(EN) […]


to read the full text

(EN) Author
(EN) Maria Arnst CIPM, TÜV
(EN) GDPR Consultant
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 37 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).

(EN) […]


to read the full text

Recitals

(97) I gcás inar údarás poiblí a dhéanann an phróiseáil, cé is moite de chúirteanna nó d'údaráis bhreithiúnacha neamhspleácha agus iad ag gníomhú dóibh ina gcáil bhreithiúnach, i gcás inar rialaitheoir a dhéanann an phróiseáil san earnáil phríobháideach, rialaitheoir arb iad oibríochtaí próiseála dá dteastaíonn faireachán rialta córasach ar na hábhair sonraí ar mhórscála, nuair arb éard atá i gcroíghníomhaíochtaí an rialaitheora nó an phróiseálaí, catagóirí speisialta sonraí pearsanta agus sonraí a bhaineann le ciontuithe coiriúla agus cionta, ba cheart duine a bhfuil saineolas ar dhlí agus ar chleachtas na cosanta sonraí aige nó aici a bheith de chúnamh ag an rialaitheoir nó ag an bpróiseálaí chun faireachán a dhéanamh ar chomhlíonadh inmheánach an Rialacháin seo. San earnáil phríobháideach, baineann croíghníomhaíochtaí an rialaitheora leis na príomhghníomhaíochtaí atá aige nó aici agus ní bhaineann siad le próiseáil sonraí pearsanta mar ghníomhaíochtaí coimhdeacha. Ba cheart an leibhéal saineolais is gá a chinneadh, go háirithe, de réir na n-oibríochtaí próiseála sonraí atá á ndéanamh agus de réir na cosanta atá de dhíth ar na sonraí pearsanta atá á bpróiseáil ag an rialaitheoir nó ag an bpróiseálaí. Ba cheart d'oifigigh cosanta sonraí den sórt sin a bheith in ann a ndualgais agus a gcúraimí a chomhlíonadh ar bhealach neamhspleách, bíodh siad fostaithe ag an rialaitheoir nó ná bíodh.

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Dlí Treoirlínte & Cásanna Leave a comment
[js-disqus]