Data Protection Officer
(Industry) organizations have the option of appointing an internal supervisor for the processing of personal data. Such a person is called a data protection officer (DPO). Within the organization, the DPO supervises the application and compliance with the Personal Data Protection Act (Wbp).
Later: mandatory DPO
Please note: from May 25, 2018, new European privacy legislation, the General Data Protection Regulation (GDPR), applies. Organizations may then be obliged to appoint a DPO. Of course, organizations may still voluntarily appoint a DPO. For more information, see the AVG file Data protection officer ( FG) .
The activities of a DPO can include:
- create inventories of data processing operations;
- keep records of data processing;
- develop internal arrangements;
- advising on technology and security ( privacy by design );
- provide input when drafting or modifying a code of conduct.
Handling questions and complaints from people inside and outside the organization;
Report data processing
Do you have to report risky processing to the Dutch Data Protection Authority ? If you have a DPO, you can report this to the DPO.
Requirements for DPO
The law imposes a number of requirements on DPOs:
- A DPO must be a natural person. A works council or committee is therefore not eligible.
- A DPO must have sufficient knowledge of the organization and privacy legislation.
- A DPO must be reliable. This is reflected, among other things, in a duty of confidentiality.
Powers of the DPO
A DPO has no formal sanctioning powers. However, the organization is legally obliged to give the DPO supervisory powers. For example, a DPO must be authorized to enter areas, to investigate matters and to request information and access. The DPO must be able to independently perform his activities within an organization. A DPO has the same protection against dismissal as members of a works council. This means that he can only be fired after permission from the Subdistrict Court.
Supervision by the Dutch Data Protection Authority
If an organization has a DPO, the Dutch Data Protection Authority retains all powers as national supervisor. But the Dutch Data Protection Authority is reticent towards organizations with a DPO.
Professional association of DPOs
FGs can become members of the Netherlands Association of Data Protection Officers .
An (industry) organization can appoint one or more DPOs. The organization must then register each DPO with the Dutch Data Protection Authority. Only then can the DPO start as such. Please note: a controller (the person who determines the purpose and means for the data processing) cannot also be a DPO in his own organization.
Register DPO with the Dutch Data Protection Authority
You can register a DPO with the Dutch Data Protection Authority via the registration form . Then send this to: Autoriteit Persoonsgegevens for the File Management Department PO Box 93374 2509 AJ The Hague.
Public register of DPOs
The Dutch Data Protection Authority publishes registrations of DPOs in a register.
- Is someone no longer a DPO? Then the organization must pass this on to the Dutch Data Protection Authority.
- Will there not be a new DPO? In that case, the organization must notify all data processing to the Dutch Data Protection Authority .