Tasks

The activities of a DPO can include:

• supervise;
• create inventories of data processing operations;
• keep records of data processing;

Handling questions and complaints from people inside and outside the organization;

• develop internal arrangements;
• advising on technology and security ( privacy by design );
• provide input when drafting or modifying a code of conduct.

Report data processing

Do you have to report risky processing to the Dutch Data Protection Authority ? If you have a DPO, you can report this to the DPO.

Requirements for DPO

The law imposes a number of requirements on DPOs:

• A DPO must be a natural person. A works council or committee is therefore not eligible.
• A DPO must have sufficient knowledge of the organization and privacy legislation.
• A DPO must be reliable. This is reflected, among other things, in a duty of confidentiality.

Powers of the DPO

A DPO has no formal sanctioning powers. However, the organization is legally obliged to give the DPO supervisory powers. For example, a DPO must be authorized to enter areas, to investigate matters and to request information and access. The DPO must be able to independently perform his activities within an organization. A DPO has the same protection against dismissal as members of a works council. This means that he can only be fired after permission from the Subdistrict Court.

Supervision by the Dutch Data Protection Authority

If an organization has a DPO, the Dutch Data Protection Authority retains all powers as national supervisor. But the Dutch Data Protection Authority is reticent towards organizations with a DPO.

Appoint DPO

An (industry) organization can appoint one or more DPOs. The organization must then register each DPO with the Dutch Data Protection Authority. Only then can the DPO start as such. Please note: a controller (the person who determines the purpose and means for the data processing) cannot also be a DPO in his own organization.