Data Protection Officer (DPO) as a service

Mgr. Tomáš Vavro 03.10.2017


Illustration for Data Protection Officer (DPO) as a service

Obligation to appoint a personal data protection officer under the GDPR

One of the obligations under Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation or GDPR) is the obligation of some administrators and processors to appoint a so-called personal data protection officer, also called Data Protection Officer (DPO).

On the one hand, A) all public-law entities, e.g. municipalities, have this obligation, on the other hand, this obligation also affects private-law entities, B) whose main activities consist in the processing of data that require extensive regular and systematic monitoring of data subjects, or entities, C) whose main activities consist in extensive processing of special categories of data.

Projected into practice, the obligation to appoint a personal data protection officer applies in particular to operators of various medical facilities that process data on the health status of patients to a greater extent, or entrepreneurs who evaluate customer behavior, for example for the purpose of targeting advertising, analyzing credit and insurance risks, as part of the operation of applications evaluating the user's location or as part of camera monitoring of several different spaces by a security agency.

Failure to appoint a personal data protection officer or appointing this person only for form can result in a fine of up to EUR 10,000,000 or up to 2% of the worldwide turnover for the previous financial year for the administrator or processor.

Who can be a personal data protection officer and what is his role?

The person in charge of personal data protection can be a natural or legal person with the necessary qualifications, whose duty consists in particular in checking the correctness of procedures in the processing of personal data, providing consultations and advice, as well as in cooperation and communication with the Office for Personal Data Protection.

Administrators and processors can thus decide to appoint their own employee who will perform these activities in addition to the main workload and who will be regularly trained in the field of personal data protection, or to appoint an external personal data protection officer who will provide his services on the basis of a contract . The second option appears to be more advantageous for many administrators and processors, due to lower financial and administrative costs, as well as due to the risks associated with the termination of the employee's em­ployment relationship.

At the same time, according to the GDPR, a group of companies or public entities, e.g. a group of municipalities within a certain region, can appoint a joint personal data protection officer and thus share the costs of his services.

The price of the services of the personal data protection officer

Law office Vozáb & Co. provides GDPR data protection officer services as an external supplier at the prices below:

Flat-rate monthly remuneration: 2,000 to 15,000 CZK without VAT depending on the nature and scope of the client's activity.

Services related to the assessment of specific situations and the preparation of specific documents within the scope of the client's activities are billed separately.


Subscribe via email RSS Feed
Share