What is a Data Protection Officer or DPO?
It is the person whose function is to advise on the formulation, design and implementation of Personal Data Protection policies, supervise compliance with the regulations and propose the measures deemed appropriate to comply with the regulations and international standards on the subject.
Regulatory Framework
In accordance with the provisions of Article 40 of Law No. 19,670 of October 15, 2018 and Decree 64/020 regulating Articles 37 to 40 of the law, the following entities are required to appoint a delegate:
- Public, state-owned, or non-state-owned.
- Private wholly or partially state-owned.
- Private entities that process sensitive data as their main business.
- Those that process large volumes of data.
Large data processing is considered to be any activity involving the processing of personal data of more than 35,000 individuals.
The Regulatory and Personal Data Control Unit (URCDP), ex officio or upon request made to it, may rule on the relevance of a private entity to have a data protection officer.
Duties of the Data Protection Officer
The DPO will be in charge of the following functions:
- Advise in the formulation, design, and implementation of Personal Data Protection policies. For example, intervene as necessary in the drafting of service contracts with data processors, draft the necessary clauses for forms or procedures of the entity, draft the privacy policy and train staff, among others.
- Overseeing regulatory compliance in your organization. For example, registering or updating the entity’s database registers, having the corresponding consents, carrying out the impact assessments and ensure compliance with the principles, among others.
- Propose all measures it deems appropriate to comply with the regulations and international standards on Personal Data Protection. For example, recommend the adoption of protocols, the improvement of processes and the adoption of certain security measures, among others.
- Act as a liaison between your entity and the URCDP. For example, submit queries to the control body or bring to the attention of these situations that warrant it, keep up to date with training and update the processes of the person responsible or in charge if applicable, among other tasks.
Position of the DPO
The Data Protection Officer may be part of the personnel dependent on the data controller or data processor or perform his/her functions through any other contractual form, whether it implies dependence or not.
Participation of the DPO in the controller’s or processor’s activities
The controller or processor must ensure the due participation of the Data Protection Officer in all instances related to Personal Data Protection issues.
It is necessary that the delegate is supported in the performance of his functions and, for this purpose, full access must be provided to the personal data and to the processing operations carried out on them.
It is also important that he/she does not receive instructions in the performance of his/her specific duties, and may act with full technical autonomy.
Finally, the DPO may perform other functions and duties as long as no conflicts of interest are generated.
Term of Appointment
When it is necessary to appoint a personal data protection officer, this must be communicated to the Regulatory and Personal Data Control Unit (URCDP) within 90 days from the start of the processing.
In Heaven’s Group we have the service of a Data Protection Officer, who will advise you on compliance and necessary measures to be in compliance with current regulations on personal data.