1 Policy Statement
[Your Company Name] (hereinafter referred to as the “Company”) complies fully with the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA18) and any specific data protection codes of conduct (herein collectively referred to as ‘the GDPR’). Articles 37-39, and Recital 97 of the GDPR detail the obligations, requirements and responsibilities on firms to appoint a Data Protection Officer and specifies the duties that the officer themselves must perform.
A Data Protection Officer (DPO) must be appointed by a firm where: –
- the processing is carried out by a public authority or body (except for courts acting in their judicial capacity)
- the core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
- the core activities of the controller/processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10
2 Purpose of the Position
This document details the responsibilities and duties of our Data Protection Officer (DPO) and supports our employees and third parties in the compliant and effective processing of personal data through the appointment and commitment of our [DPO/Approved Person] (hereinafter referred to as the “Data Protection Officer or Lead”).
Where we have appointed a designated Data Protection Officer or Lead, we have done so in accordance with the GDPR requirements and have ensured that the assigned person has an adequate and expert knowledge of data protection law, principles and practices; and is fully capable of assisting the Company in monitoring its internal compliance with the Regulation and to support and advise employees and associated third parties with regards to data protection laws and requirements.
3 Scope
This document applies specifically to the appointed DPO or person assigned with the data protection oversight function. However, it’s content and requirements relate to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas) and has been created to ensure that all employees understand the role of the Data Protection Officer, their responsibilities, obligations and the correct reporting lines.
4 Data Protection Officer Responsibilities
The Company has appointed a Data Protection Officer or Lead due to the nature of our business activities and/or the services that we provide. We have utilised our existing due diligence measures and procedures, along with extensive employee screening methods, to ensure that the appointed Data Protection Officer or Lead has been appointed based on their expertise and professional qualities.
We provide support, training, mentoring and CPD for the Data Protection Officer or Lead, to ensure that they have an expert knowledge of data protection law, practices and principles and the ability to fulfil the tasks referred to in Article 39 of the GDPR. They report to the highest level of management and provide adequate and effective management information on the compliance, measures, controls, reviews, gaps and improvement actions plans.
The Data Protection Officer or Lead is fully aware and informed that their role in relation to data protection is bound by secrecy and confidentiality and they have completed a Confidentiality Agreement which is signed and held on file. Where they fulfil other tasks and duties, we have carried out a risk-assessment to ensure that those tasks and duties do not result in a conflict of interest. The Data Protection Officer or Lead can carry out their role with autonomy and without fear of detriment or retribution, regardless of their assessment, suggestions or obligations.
The Company are registered with the Supervisory Authority and appear on the Data Protection Register as a [controller and/or processer*] of personal information. The DPO and their contact details have been published on this register, as well as being provided directly to the Supervisory Authority.
[NOTE: If your designated DPO is not an employee and has been appointed on the basis of a service contract, you have an obligation to verify that the DPO is adequate, capable and experienced. You should carry out and record due diligence and background checks and retain copies.]
4.1 Duties of the Data Protection Officer
The Data Protection Officer has assumed the below duties in compliance with GDPR Article 39: –
- To inform and advise the Company and any employees carrying out processing, of their obligations pursuant to the GDPR, the Supervisory Authorities guidelines and any associated data protection provisions
- To monitor compliance with the GDPR, associated data protection provisions and the Company’s own data protection policies, procedures and objectives
- To oversee the assignment of responsibilities, awareness-raising and training of staff involved in data processing operations
- To carry out and review audits of the above-mentioned policies, procedures, employee duties and training programs
- To cooperate with the Supervisory Authority where required
- To act as the point of contact for the Supervisory Authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter
- In accordance with Article 35 (type of processing is likely to result in a high risk to the rights and freedoms of natural persons), the DPO will provide advice where requested with regard to any data protection impact assessment and monitor its performance
- Have due regard to, and be aware of, the risks associated with processing operations, considering the nature, scope, context and purposes of processing
- [Add/Delete as applicable]
Designated Data Protection Officer
NAME: __________________________________________
POSITION: __________________________________________
ADDRESS: __________________________________________
__________________________________________
EMAIL: __________________________________________
TEL: __________________________________________
Deputy Data Protection Officer
NAME: __________________________________________
POSITION: __________________________________________
ADDRESS: __________________________________________
__________________________________________
EMAIL: __________________________________________
TEL: __________________________________________