TABLEAU COMPARATIF DES DELEGUES A LA PROTECTION DES DONNES A CARACTERE PERSONNEL EN EUROPE Version V1.0 à jour au 29 sept. 2009. Nous invitons les lecteurs à nous communiquer leurs commentaires afin de compléter ce tableau (pg@pascalgelly.com) Estonia Hungary Slovakia Malta Title Isikuandmete kaitse eest vastutav isik (Person responsible for protection of personal data) Creation / Effective date DPO 1.0: 2003 Belső adatvédelmi felelős (internal data protection officer) Dohľad nad ochranou osobných údajov (personal data protection official) Rapprezentant ta data personali/ Data protection representative DPO 1.0: 1993 DP 1.0.: 2002 -- DPO 2.0: 2008 DPO 2.0: 2007 Number -- -- -- 111 DPO (list available on the Authority s website) Associations -- -- -- Legislation 27, 30 et 31 of the Isikuandmete kaitse seadus of February 15 th, 2007 Articles 28 et 31A of the DP Act LXIII of 1992 (1992. évi LXIII. törvény a személyes adatok védelméről és a közérdekű adatok nyilvánosságáról) Mandatory / Optional Optional Mandatory for DC or data processors - in case of processing of data files of national authorities or of national labour or criminal data files - in financial institutions, - in telecommunications services providers, - in public utility services providers Legal advantages associated with the appointment of a DPO - simplification of procedures : mandatory registration of automated processing of sensitive data need not to be done Sections 19, 25, 29, 30 and 49 of the DP Act n 428/2002 amended Mandatory - if more than 5 employees (if the DC fails to do so, a fine from SKK 30.000 to 3.000.000 can be imposed) Optional - if less than 6 employees -- - simplification of procedures : exemption from mandatory registration except for sensitive types of processing or when transborder data flows to non Sections 30 to 35 of the DP Act ( Cap 440), ACT XXVI of 2001, as amended by Act XXXI of 2002 Optional - simplification of procedures : exemption from mandatory registration except when Authority prior checking is required (sensitivity) Page 1 sur 6
adequate countries Role General Maintenance of a registry of processing Mandatory tasks - Monitor the compliance of the DC upon processing of personal data with DP and other laws. -- - Supervise observation of statutory provision in the processing of personal data (register) (register) (records) - available to anybody at request -- - contribute to or assist in making decisions related to data processing and to the enforcement of the rights of data subjects - monitor compliance with data protection requirements - investigate reports submitted to him, and call on the data controller or technical data processor to discontinue any unlawful data processing observed by him - draw up the internal data protection and data security rules - ensure the training of the staff in data protection - assess whether any danger of violation of the rights and freedoms of data subjects arises from their processing before commencement of the processing - notify the DC in writing (otherwise a fine up to SKK 100.000 can be imposed) without undue delay of any violation - supervise the fulfilment of the DC s basic obligations related to data protection - advise data subjects on their rights and obligations - determine and supervise the implementation of technical, organisational and personal measures (including the elaboration of Security Project or documents related to data protection) - supervise the selection of the processor (including draft of a written contract or written authorization for the processor) - Ensure that the personal data is processed in a correct and lawful manner and in accordance with good practice (register) -available to any person at request - Duty to report inadequacies to DC - Assistance to data subjects in the exercise of their rights - Paying notification fee to Authority on behalf of DC after payment by DC Page 2 sur 6
Appointm ent Work conditions - supervise transborder data flows - notification to Authority of processing when required or maintenance of a documentation of processing if notification not required - ensure the processing of requests of data subjects related to the application of their rights -- -- -- -- Activity Report Optional tasks -- Qualifications -- - higher education degree in law, public administration or information technology, or equivalent qualification Internal / external... Formalities - lawyer: -- - legal entity: -- Notification to Authority upon appointment of DPO - lawyer:-- - legal entity:-- Notification to Authority (Prior to the DC commencement of activity) Independence -- Reports directly to the head of the DC or data processor - full legal capacity - meets the precondition of integrity (irreproachable citizen, who was not sentenced, by a final decision, for a deliberate crime or who was not sentenced to imprisonment without suspension: need an extract from the Criminal Register) - lawyer:-- - legal entity: no The DC may appoint several DPO Notification to Authority (without undue delay: at the latest within 30 days) - if the DC failed to enable, disturbed, frustrated or otherwise - lawyer: -- - legal entity: -- Notification to Authority -- Page 3 sur 6
Relations with the Authority obstructed the DPO s tasks, a fine from SKK 30.000 to 3.000.000 can be imposed - a legal representative of the DC cannot be DPO Status -- -- Status of the entitled person of the -- controller Means -- -- - The DC shall provide a -- professional training of the DPO (if the DC fails to do so, a fine from SKK 30.000 to 3.000.000 can be imposed) - the DC shall accept the DPO legitimate proposals Availability -- -- -- -- Notification of DPO appointment Contact of the Authority by the DPO Contact of the DPO by the Authority Shall include name and contact details - mandatory if the DPO informs the DC of a violation discovered upon the processing and if the DC does not immediately take measure to end the violation - mandatory if the DPO is in doubt as to which requirements are applicable to the processing of personal data or which security measures must be applied upon processing of personal data Shall include name and contact details (within 30 days) Shall include various information on the DPO including a statement on integrity -- - obligation of cooperation -mandatory if DPO informs DC of a violation and if DC fails to rectify the situation without undue delay -- -- -- -- -mandatory if DC has not rectified a violation asap after notice by DPO - mandatory consultation in case of doubt about how to apply the rules Page 4 sur 6
Terminati on / Resignatio n of the DPO Tableau réalisé par Me Pascale Gelly (Cabinet Gelly), assistée d E. Quillatre, à l occasion des 5èmes Assises du Correspondant Informatique & Libertés (Paris 10 juin 2009) At the request of the DPA By the DC -- -- - the DPA is entitled to DC to appoint a different DPO if it is proven that DPO failed to fulfil or did not fulfil sufficiently his obligations, or assessed incorrectly or applied incorrectly in practice the rights and obligations imposed on the DC -- Notification of Authority -- -- Notification of Authority required required -- -- -- -- At the DPO initiative Liability -- -- - notification of deficiencies or requests by DPO to fulfil his obligations must not a reason for DC to cause damage to DPO -administrative fine up to SKK 100,000 to DPO who failed to notify DC of violations or to notify the Authority if DC did not rectify the violation -- Version up to date on September 29, 2009 We invite our readers to provide us with their comments in order to improve this document (pg@pascalegelly.com) Glossary Authority: Supervisory authority DPO: Data Protection Official DC: Data Controller DP: Data Protection Page 5 sur 6
Credits We thank Pascale Gelly and Elisabeth Quillatre from Gelly s law firm for their preparation and drafting of this document. Bibliography Available English translations of national Data Protection Acts in Data protection Authorities websites Page 6 sur 6