Artikolu 39 RĠPD (GDPR). Kompiti tal-uffiċjal tal-protezzjoni tad-data
Article 39 GDPR. Tasks of the data protection officer
1. L-uffiċjal għall-protezzjoni tad-data għandu jkollu mill-inqas il-kompiti li ġejjin:
1. The data protection officer shall have at least the following tasks:
(a) jinforma u jagħti pariri lill-kontrollur jew lill-proċessur u lill-impjegati li jagħmlu l-ipproċessar dwar l-obbligi tagħhom skont dan ir-Regolament u skont dispożizzjonijiet oħra tal-Unjoni jew ta’ Stati Membri dwar il-protezzjoni tad-data;
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) jissorvelja l-konformità ma’ dan ir-Regolament, ma’ dispożizzjonijiet oħra tal-Unjoni jew ta’ Stati Membri dwar il-protezzjoni tad-data u mal-politiki tal-kontrollur jew tal-proċessur fir-rigward tal-protezzjoni tad-data personali, inklużi l-assenjazzjoni tar-responsabbiltajiet, is-sensibilizzazzjoni u t-taħriġ tal-persunal involut fl-attivitajiet ta’ pproċessar, u l-verifiki relatati;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) jipprovdi parir fejn mitlub fir-rigward tal-valutazzjoni tal-impatt fuq il-protezzjoni tad-data u jissorvelja l-prestazzjoni tagħha skont l- Artikolu 35;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) jikkoopera mal-awtorità superviżorja;
(d) to cooperate with the supervisory authority;
(e) jaġixxi bħala l-punt ta’ kuntatt għall-awtorità superviżorja dwar kwistjonijiet relatati mal-ipproċessar, inkluż il-konsultazzjoni minn qabel imsemmija fl-Artikolu 36, u jikkonsulta, fejn xieraq, fir-rigward ta’ kwalunkwe materja oħra.
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. L-uffiċjal tal-protezzjoni tad-data fit-twettiq tal-kompiti tiegħu għandu jkollu konsiderazzjoni dovuta għar-riskju assoċjat mal-attivitajiet ta’ pproċessar, filwaqt li jqis in-natura, l-ambitu, il-kuntest u l-għanijiet tal-ipproċessar.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
3.2. Necessary resources
Article 38(2) of the GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’. The following items, in particular, are to be considered:
• active support of the DPO’s function by senior management (such as at board level)
• sufficient time for DPOs to fulfil their duties. This is particularly important where an internal DPO is appointed on a part-time basis or where the external DPO carries out data protection in addition to other duties. Otherwise, conflicting priorities could result in the DPO’s duties being neglected. Having sufficient time to devote to DPO tasks is paramount. It is a good practice to establish a percentage of time for the DPO function where it is not performed on a full-time basis. It is also good practice to determine the time needed to carry out the function, the appropriate level of priority for DPO duties, and for the DPO (or the organisation) to draw up a work plan
• adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
• official communication of the designation of the DPO to all staff to ensure that their existence and function are known within the organisation
• necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services
• continuous training. DPOs must be given the opportunity to stay up to date with regard to developments within the field of data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
• given the size and structure of the organisation, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up. Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 13.2.4.
Here is the relevant paragraph to article 5(1)(f) GDPR:
6.10.2.4 Confidentiality or non-disclosure agreements
Implementation guidance
The organization should ensure that individuals operating under its control with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, should specify the length of time the obligations should be adhered to.
(EN) […]
(EN) Sign in
to read the full text