Jan Dop

partner

Jan is a specialist in employment law and corporate law

jan.dop@russell.nl
+31 20 301 55 55

Reinier Russell

managing partner

Reinier advises national and international companies

reinier.russell@russell.nl
+31 20 301 55 55

Privacy: Data protection officer

Publication date 25 August 2022

With the European General Data Protection Regulation (GDPR), the appointment of a data protection officer has become mandatory for certain businesses and organizations. What are the duties of this officer and what kind of businesses are required to appoint such an officer?

persoonsgegevens - ubo

What kind of businesses are required to appoint a data protection officer?

According to the European General Data Protection Regulation (GDPR), businesses and organizations must appoint a data protection officer if:

  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

If your business has appointed a data protection officer in the Netherlands, you have to provide the contact data to the Personal Data Authority.

Data protection officer

The data protection officer – also referred to as privacy officer – is an independent person who monitors the general quality of the data protection policy of an organization. Therefore, while performing his tasks, he cannot receive instructions from you as the employer or client. In addition, a data protection officer may not be dismissed or fined due to his or her work. However, the officer may also carry out other work, provided that this does not create a conflict of interest.

The data protection officer will control whether the processing of data in your company is in accordance with the General Data Protection Regulation. Therefore, the controller and processor must involve the officer in a timely manner in any processing of personal data. If the data protection officer detects irregularities, he must report them to the person in charge or to the company he was appointed by.

In addition, the data protection officer is allowed to make recommendations. However, these recommendations have an advisory function only. Ultimately, it’s up to the person in charge whether to follow the advice of the data protection officer or not.

Appointing a data protection officer means you will have a “watchdog” within your company. You will also have an in-house expert who can quickly provide insight on the right way of data processing. To ensure that this expertise will be maintained, the employer is required to provide the necessary means, including training. The national data protection agency will act reluctantly if the data protection officer performs his duties properly.

Action

  • Check whether you are required to appoint a data protection officer.
  • Get a check on whether the tasks and competences of the data protection officer comply with the GDPR.

More information

More information on the European privacy rules can be found in other newsletters in this series:

Privacy and GDPR lawyer

Would you like to know more about the application of the General Data Protection Regulation, or do you have any other questions on how to organize your company in the context of the data protection regulation? Please contact us:

    We process the personal data above with your permission. You can withdraw your permission at any time. For more information please see our Privacy Statement.

    Related publications

    25 September 2024: Cybersecurity and Data Protection in Litigation

    Wednesday 25 September 2024, Reinier Russell will discuss cybersecurity and data protection in litigation at the European meeting of the World Litigation Forum in Barcelona.

    Read more

    1 January 2024: Model agreement on unrestricted substitution to disappear

    An important way to prevent an assignment contract from turning out to be an employment contract after all is to use and correctly implement the model agreements on the website of the Dutch Tax and Customs Administration. However, from 1 January 2024, all models that partially or completely assume the possibility of substitution will expire. What does this mean for principals and contractors?

    Read more

    What does the Homologation Act (WHOA) mean for creditors?

    The WHOA makes it easier for a company facing bankruptcy to avoid bankruptcy. This can be done through a binding agreement with all creditors, even if they do not all agree to the arrangement. What rights do creditors have in WHOA proceedings?

    Read more

    New EU General Product Safety Regulation

    On 12 June 2023, the new EU General Product Safety Regulation entered into force. As of 13 December 2024, products must comply with this regulation. What are the consequences of the new Product Safety Regulation? Which entrepreneurs should start taking measures now?

    Read more

    Fraud prevention in the company

    Fraud causes billions in damages each year. Companies face, for example, fraudulent contracting parties, directors and employees. The management and supervisory board might play the most important role in a company when it comes to fraud prevention. In this newsletter we will give them some legal tools to prevent fraud.

    Read more

    Protecting your company’s assets and interests. The importance of getting it right from the start

    Company directors and company owners are more than ever reliant on assets such as a company’s brand name, patented inventions, trade secrets, customer data base and skillful employees. Yet, all too often, when faced with a potential infringement or misappropriation, companies find themselves woefully underprepared in terms of risk management. This may prove highly detrimental to the company’s best interests.

    Read more