In accordance with the Law on Personal Data Protection (the Law), Data Controllers and Data Processors are obliged to appoint a Data Protection Officer (DPO) in the cases specified in the Law.
Although the Law specifies the cases in which this is a legal obligation, the practice and the opinion of the Commissioner for Information of Public Importance and Personal Data Protection (the Commissioner) have shown that it is always advisable to appoint a DPO.
Duties of the Data Protection Officer
The duties of the Data Protection Officer, prescribed by law, are
- informing and advising the Data Controllers and Data Processors, as well as the employees who carry out the processing operations, on their legal obligations regarding the protection of personal data;
- supervising the implementation of the Law, other laws and the internal regulations of the Data Controller or Data Processor in relation to the protection of personal data, including issues relating to the allocation of responsibilities, awareness and training of the employees involved in the processing operations and control;
- upon request, provide opinions and other follow-up actions regarding the Data Protection Impact Assessment;
- to cooperate and represent a contact point for cooperation and consultation with the Commissioner on matters relating to processing, including notification and obtaining opinions.
In carrying out his or her duties, the DPO shall pay the utmost attention to the risks associated with the processing operations, taking into account the nature, scope, circumstances and purposes of the processing.
Responsibilities and Position of the Data Protection Officer
The DPO shall be selected based on his or her professional qualifications, in particular professional knowledge and experience in the field of Personal Data Protection, as well as the ability to fulfil the legal obligations.
This person does not have to be employed by the Data Controller or the Data Processor, but may perform tasks on a contractual basis, i.e. he or she may be hired externally.
The Data Controller or Data Processor is obliged to ensure the DPO’s independence in the performance of his or her legal obligations and may not sanction the DPO or terminate his or her employment because of the DPO’s performance of his or her legal obligations.
The Data Protection Officer may perform other tasks and the Data Controller, or the Data Processor are obliged to ensure that the performance of other tasks and obligations does not put the Data Protection Officer in a conflict of interest.
Our law office TSG Lawyers Belgrade provides services for the performance of the duties of a Data Protection Officer, including registration in the Register of Appointed Data Protection Officers maintained by the Commissioner.