Usefulness for organisations and sectors
The Dutch DPA promotes the appointment of internal supervisors. Self-regulation and the integration of supervision into normal business operations contribute effectively to the achievement of improved privacy protection. The data protection officer is an expert point of contact for the controller. He is also able to act as a contact person for people whose personal data are being processed. These individuals might be customers, employees or patients. The data protection officer increases privacy-awareness within the organisation.
Who is able to become a data protection officer?
An external individual may function as a data protection officer. However, this person would be further removed from the work floor, and would be less familiar with company culture. What is more, each controller wishing to draw upon the knowledge and skills of an external individual, in his capacity as data protection officer, must appoint this data protection officer himself and notify the Dutch DPA accordingly. A controller cannot play the role of data protection officer within his own company. The Dutch DPA will reject any notifications of this nature.
Notifying the data protection officer of data processing
Where a controller opts to notify a data protection officer of
the processing of personal data, the data protection officer must include
this notification in a public register he maintains. Where he does this,
the controller will no longer be required to notify the Dutch DPA. The
organisation will be free to decide how the notification process is organised,
providing it does so in accordance with statutory regulations. Please note
that a separate version of the Wbp-Meldingsprogramma [Wbp-notification
programme] is available specifically for data protection officers. Incidentally,
a data protection officer may only be notified of data processing where
the processing in question is not subject to a prior investigation (also
see the fact sheet entitled Prior
Investigation [Voorafgaand onderzoek]).
Duties and powers
Legislation imposes a number of requirements on internal supervisors. The data protection officer must be a "natural" person. As such, a works council or committee will not be eligible for this position. The data protection officer must possess the knowledge required, i.e. a knowledge of the organisation, the data processing occurring within the organisation, the interests involved and, of course, a knowledge of privacy legislation. In addition to the above, the data protection officer must be reliable. This reliability is reflected in the obligation to observe secrecy and the ability to balance against each other the various interests involved and to do so from a position of independence. The data protection officer has the authority to enter various areas, investigate cases and request information and access to information.
The data protection officer’s activities will include:
- supervision
- the collection of data processing inventories
- the administration of data processing notifications
- the handling of complaints
- the preparation of annual reports
- the provision of information
- the development of internal regulations
- the provision of advice on technology and protection
Position in relation to the controller
The data protection officer must be able to perform his duties independently. Independent supervision means that the data protection officer holds a staff position, preferably allied to management within the organisation and certainly not isolated from it. The controller makes it possible for the data protection officer to perform his duties properly. The recommendations made to the controller by the data protection officer are not binding. However, the data protection officer may not be prevented from carrying out investigations. A data protection officer enjoys the same protection against dismissal as that offered to members of a works council. As a result, his employment cannot be terminated without the prior consent of the district court.
Position in relation to data subjects
A data protection officer’s set of tasks may include dealing with complaints on the use of personal data. Wherever possible, the Dutch DPA will refer data subjects with questions or complaints to a data protection officer. A data protection officer may provide information on data processing within a particular company or sector.
Relationship between the data protection officer and the Dutch DPA
The legislator wishes smooth interaction to develop between the data protection officer, the controller and the Dutch DPA. For this reason, each data protection officer is allocated his own contact person within the Dutch DPA. The data protection officer is not an extension of the Dutch DPA, but may mediate between the controller and the Dutch DPA. The Dutch DPA will retain its duties and powers in respect of organisations that have appointed data protection officers. However, it will play a less prominent role in its supervision of organisations in which data protection officers are functioning well. The preparation of an annual report is an important indication of a data protection officer’s successful performance, as is the appropriate internal and external distribution of the report. For example, the annual report, in which the data protection officer describes his activities and findings, can be integrated into the organisation’s general annual report. The Dutch DPA greatly appreciates receiving copies of the reports prepared by data protection officers.
Where a data protection officer ceases to be active in this capacity, resulting in a vacancy for this position, the controller must notify the Dutch DPA of this fact. If the position is not filled, the organisation must resume its notification of all data processing activities to the Dutch DPA.
The Netherlands society of data protection officers
Data protection officers are able to join the Nederlands
Genootschap van Functionarissen voor de Gegevensbescherming
(NGFG) [ Netherlands society of data protection officers].
Amongst other things, the object of the NGFG is to
promote the quality and integrity of data protection
officers. It strives to do this by developing the field,
representing interests shared by data protection officers
and by exchanging knowledge and experience. This object
is directly related to the requirement laid down in
the Wbp [Dutch Data Protection Act], i.e. that the
data protection officer have a sufficient knowledge
of privacy regulations and be reliable. The NGFG can
contribute to the achievement of this requirement.
For more information, please vist the Internet site
of the NGFG.
More information
The Dutch DPA must be notified of all data protection
officers appointed. It adds them to a public register
of data protection officers. For more information
on data protection officers, please see the brochure
entitled De functionaris voor de gegevensbescherming [The Data Protection Officer]. This guide will provide you with information on the duties and powers applicable to data protection officers and also contains a registration form.