In this section, you will find background and other practical documents, containing essential information for you to carry out your Data Protection Officer (DPO) tasks and mission.
Regulation (EC) 2018/1725 introduces several novelties with an impact on the role of the DPOs. The EDPS position paper on the role of the Data Protection Officer aims at providing guidance for DPOs on their paramount role, functions and tasks, as the cornerstone of the EU institution/body/agency (EUI).
The Professional Standards for Data Protection Officers issued by the DPO network in 2010 also provides useful tips and best practices for the DPOs of the EUIs.
Firstly, however, you may want to recap on what the decision appointing a DPO should contain. Thereafter, you can review the implementing rules concerning the tasks, duties and powers of the DPO adopted by your body. The guidelines contained here, illustrated with an example, are helpful in drafting these rules.
Article 31 of Regulation 2018/1725 states that “Each controller shall maintain a record of processing activities under its responsibility”. In this way, the EUI is in control of its processing operations. Records are an important tool for verifying and demonstrating compliance in light of the accountability principle.
In addition, EUIs shall keep their records of processing activities in a central register. For reasons of transparency, they should make the register public. Since DPOs are the experts on data protection, the EDPS strongly recommends that they should be the ones keeping the register of records. Although the DPO can provide advice with respect to the records, the controller remains responsible for generating them and for their content.
The EDPS has issued thematic Guidelines which may be useful for you. The Guidelines provide advice to controllers how to apply the data protection principles in thematic fields. We have also included some tips and presentations on how to raise awareness within your institution as well as templates of privacy statements.
Last but not least, the EDPS invites you to check out our trainings. We have already given many trainings to newly appointed DPOs and to different EUIs on Regulation 2018/1725 and on specific thematic case studies. We also give a 2-hour lunch training to EU middle managers at least four times a year at the European School of Administration on their new obligations under Regulation 2018/1725. Do not hesitate to encourage controllers to attend these lunch trainings.
Personal data breach notification
From 12 December 2018, under Regulation (EU) 1725/2018 all European institutions and bodies have a duty to report certain types of personal data breaches to the EDPS. Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EU Institution must also inform the individuals concerned without unnecessary delay.