Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 84 views

    Dpo Requirements by Country

    Uploaded by

    Pablo Jan Marc Filio
    This document provides a chart summarizing the data protection officer requirements by country in various jurisdictions. It lists the legal instrument, terminology used, scope of entities covered, required tasks of the data protection officer, recommended structure for the role, any training or expertise requirements, and registration or notification obligations in countries such as Australia, Bermuda, Brazil, Canada, China, and Colombia. The chart is intended to catalog the requirements but does not include all recommended best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Dpo Requirements by Country

    Uploaded by

    Pablo Jan Marc Filio
    84 views11 pages
    This document provides a chart summarizing the data protection officer requirements by country in various jurisdictions. It lists the legal instrument, terminology used, scope of entities covered, required tasks of the data protection officer, recommended structure for the role, any training or expertise requirements, and registration or notification obligations in countries such as Australia, Bermuda, Brazil, Canada, China, and Colombia. The chart is intended to catalog the requirements but does not include all recommended best practices.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides a chart summarizing the data protection officer requirements by country in various jurisdictions. It lists the legal instrument, terminology used, scope of entities covered, required tasks of the data protection officer, recommended structure for the role, any training or expertise requirements, and registration or notification obligations in countries such as Australia, Bermuda, Brazil, Canada, China, and Colombia. The chart is intended to catalog the requirements but does not include all recommended best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    84 views11 pages

    Dpo Requirements by Country

    Uploaded by

    Pablo Jan Marc Filio
    This document provides a chart summarizing the data protection officer requirements by country in various jurisdictions. It lists the legal instrument, terminology used, scope of entities covered, required tasks of the data protection officer, recommended structure for the role, any training or expertise requirements, and registration or notification obligations in countries such as Australia, Bermuda, Brazil, Canada, China, and Colombia. The chart is intended to catalog the requirements but does not include all recommended best practices.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 11

    Data Protection Officer

    Requirements by Country

    Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to
    translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional
    instances in which a DPO is recommended but not required. If you are aware of additional material that should be included here,
    please email the Westin Research Center at research@iapp.org.

    Legal Training/ Registration/


    instrument Terminology Scope Tasks Structure expertise notification
    Australia Privacy • Designate a • Government • Provide the agency advice on privacy • An agency may • The Office of • Provide the
    (Australian privacy officer. agencies. matters. have one or the Australian OAIC contact
    Government • Handle internal and external privacy more privacy Information information
    Agencies — enquiries, complaints and requests officers. Commissioner’s for the privacy
    Governance) for access to and correction of • The privacy offi- “Privacy officer in writing.
    APP Code 2017 personal information. cer may serve Officer Toolkit”
    as the required describes useful
    • Maintain a record of the agency’s PI
    privacy cham- skills and exper-
    holdings.
    pion, or the two tise and offers
    • Assist with the preparation of privacy resources for
    positions may
    impact assessments and maintain the privacy officers.
    be separate.
    agency’s register of PIAs.
    • Measure and document the agency’s
    performance against the privacy
    management plan at least annually.
    Bermuda Personal • Designate a • All organizations. • Take responsibility for compliance • Publish name of
    Information representative with the act. privacy officer in
    Protection Act (“privacy • Communicate with the commissioner. privacy notice.
    officer”).
    Part 2, Section 5

    International Association of Privacy Professionals  •  iapp.org 1


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Brazil General Data • Appoint a DPO. • Controllers • Receive and respond to complaints. • Publish identity
    Protection Law (could be • Communicate with the DPA. and contact
    circumscribed by information.
    Article 41 • Educate staff and contractors on
    data protection
    personal data protection practices.
    authority rules).
    • Conduct other duties as prescribed by
    controller or set forth in DPA rules.
    Canada Personal • Designate an • Covered entities. • Account for the organization’s
    Information individual or compliance with act’s principles.
    Protection individuals who • Handle complaints or inquiries from
    and Electronic are account- individuals.
    Documents Act able for the
    organization’s
    Schedule 1, 4.1
    compliance.
    Principle 1
    China Personal • Appoint a • Controllers • Take responsibility for data • Report to the • Relevant
    Information person and a implementing the protection. principal of management
    Security department standard. • Participate in important decisions on organization. experience.
    Specification responsible data processing. • Resourced as • Data protection
    for personal necessary. expertise.
    11.1(b)(d–e) • Coordinate data security efforts.
    information
    protection. • Develop data protection plan.
    • Develop/maintain data protection
    policies and procedures.
    • Maintain list of personal data
    processed and access rights.
    • Conduct data security assessment.
    • Organize data security trainings.
    • Conduct product testing to avoid
    unknown personal data collection,
    use, sharing and other processing.
    • Handle complaints.
    • Conduct security audits.
    • Liaise with management and report
    personal data incident handling.

    International Association of Privacy Professionals  •  iapp.org 2


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Colombia Law 1581/2012 • Designate one • Controllers and • Assume the role of personal data • Include desig-
    person or area processors. protection. nated person or
    Decree 1074
    to assume the • Handle data subjects’ requests. area responsible
    Article role of personal for data protec-
    2.2.2.25.4.4 data protection. Non-binding SIC guidance lays out tion in privacy
    additional tasks: notice.
    • Assist organizations implementing
    policies and procedures to comply
    with the data protection regulation.
    • Monitor compliance and the data
    protection program.
    • Train staff and conduct internal audits.
    • Serve as contact point for DPA.
    • Submit information related to
    processing operations to the
    National Registry of Databases of the
    Colombian DPA.
    Egypt Personal Data • Appoint a • Controllers and • Take charge of application of the law. • Competent • Register with
    Protection Law competent processors. • Monitor compliance. employee of DPA.
    employee to be entity.
    Articles 8–9 • Receive and respond to data subject
    responsible for
    requests.
    the protection
    of personal data. • Evaluate personal data protection
    systems, document results and issue
    recommendations.
    • Maintain personal data records.
    • Take corrective actions for violations.
    • Train staff.
    • Implement security procedures.
    • Liaise with DPA, notify DPA of infringe-
    ments and implement decisions.

    International Association of Privacy Professionals  •  iapp.org 3


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    EU General Data • Designate a • Public authority • Inform and advise on data protection • Staff member or • Professional • Publish contact
    member Protection DPO. or body process- requirements. contractor. qualities. information and
    states (27) Regulation ing data, except communicate
    • Monitor compliance. • Resourced to • Expert knowl-
    courts. carry out tasks edge of data it to DPA (see
    Articles 37–39 • Advise organization on data protec-
    • Controllers or and maintain protection law how to do so by
    tion impact assessments.
    processors whose expertise. and practices. country).
    • Cooperate with DPA.
    core activities • Report to high- • Ability to fulfill
    require regular • Serve as contact for individuals
    est management legally man-
    and systematic and DPA.
    level. dated tasks.
    monitoring of
    • No instructions
    data subjects on
    or dismissal with
    a large scale.
    regard to tasks.
    • Controllers or
    • Bound by
    processors whose
    confidentiality.
    core activities
    include processing
    on a large scale of
    special categories
    of data.
    • Where required
    by EU member
    state law.
    Ghana Data Protection • Appoint a data • Controllers. • Monitor compliance with the act. • Employee or • Certified and • Register with
    Act protection contractor qualified, with the commission.
    supervisor. based on criteria to be
    Section 58
    controller size specified by the
    and commission commission.
    guidance.
    Mauritius Data Protection • Designate • Controllers. • Take responsibility for data protection • Inform data
    Act an officer compliance. subject of DPO
    responsible for identity at time
    Section 22(2)(e)
    data protection of collection.
    compliance. • Maintain DPO
    contact details
    in record of
    processing.

    International Association of Privacy Professionals  •  iapp.org 4


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Mexico Federal Law on • Designate a • Controllers. • Process requests from data subjects.
    Protection of personal data • Promote data protection within the
    Personal Data person or organization.
    Held by Private department.
    Parties
    Article 30
    New Privacy Act • Appoint as • Covered entities. • Handle individual requests. • Staff member or
    Zealand privacy officers • Liaise with DPA on investigations. contractor.
    Part 9 Section 201
    for the agency
    • Ensure compliance with the act.
    one or more
    individuals.
    Nigeria Data Protection • Designate a • Controllers. • Ensure adherence to the regulation. • Staff member or • Requires • Provide contact
    Regulation DPO. • Follow the controller’s data protec- contracted firm continuous information
    tion directives. or individual. capacity building to data sub-
    Section 3.1.2
    for DPOs and jects prior to
    personnel collection.
    involved in data
    processing.
    Philippines Data Privacy Act • Designate an • Controllers and • Account for the organization’s • One or more • Make identity
    individual or processors. compliance with the act. individuals. of designated
    Section 21(b)
    individuals who individual(s)
    NPC Advisory are account- available to data
    2017-01 able for the subject upon
    organization’s request.
    compliance. • Register with
    DPA.

    International Association of Privacy Professionals  •  iapp.org 5


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Russia Data Protection • Appoint • Operator, which • Organize the processing of • Accountable
    Act a person is a legal entity. personal data. to operator’s
    responsible for • Exercise internal control over com- executive body.
    Section 22.1.1
    organizing the pliance with personal data-related
    processing of legislation.
    personal data.
    • Educate the operator and employees
    regarding personal data-related
    requirements.
    • Handle data subject requests.
    San Law 171/2018 • Designate a • Public authority • Inform and advise on data protection • Staff member or • Professional • Publish contact
    Marino DPO. or body process- requirements. contractor. qualities. information and
    Articles 38-40
    ing data, except • Monitor compliance. • Resourced to • Expert knowl- communicate it
    courts. carry out tasks edge of data to the DPA.
    • Advise organization on data protec-
    • Controllers tion impact assessments. and maintain protection law
    or processors expertise. and practices.
    • Train staff.
    whose core • Report to high- • Ability to fulfill
    activities require • Cooperate with DPA.
    est management legally man-
    regular and • Serve as contact for individuals and level. dated tasks.
    systematic DPA.
    • No instructions
    monitoring of
    or dismissal with
    data subjects on
    regard to tasks.
    a large scale.
    • Bound by
    • Controllers
    confidentiality.
    or processors
    whose core
    activities include
    processing on
    a large scale of
    special categories
    of data.

    International Association of Privacy Professionals  •  iapp.org 6


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Serbia Law on protec- • Designate a • Public authorities, • Inform and advise on data protection • Staff member or • Professional • Publish contact
    tion of personal DPO. except courts. requirements. contractor. knowledge and information and
    data, Articles 56, • Controllers or • Monitor implementation of the law • Resourced to experience in communicate it
    57, and 58 processors whose and regulations on protection of carry out tasks the field. to the commis-
    core activities personal data. and maintain • Ability to per- sioner, which
    require regular professional form required maintains a
    • Advise, when requested, on data
    and systematic training. tasks. record of DPOs.
    protection impact assessment and
    monitoring of actions taken based on assessment. • No instructions,
    data subjects on penalties or
    • Cooperate with the commissioner.
    a large scale. dismissal with
    • Serve as point of contact for data
    • Controllers or regard to duties
    subjects and commissioner.
    processors whose to ensure
    core activities • Maintain confidentiality of personal independence.
    include process- data.
    • Report to head
    ing on a large of controller or
    scale of special processor.
    categories of data
    or personal data
    relating to crim-
    inal convictions
    and offences.
    Singapore Personal Data • Designate • Covered entities. • Ensure compliance with the act. • Person or team. • PDPC DPO • Publish contact
    Protection Act one or more Competency information.
    individuals to Framework
    Section 11(3)
    be responsible and Training
    for ensuring the Roadmap.
    organization
    complies.

    International Association of Privacy Professionals  •  iapp.org 7


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    South Protection • Designate an • Public and private • Encourage lawful processing of • Register with
    Africa of Personal information bodies. personal information. regulator.
    Information Act officer. • Handle individual requests.
    Chapter 5, Part B • Liaise with regulator on
    investigations.
    • Ensure compliance with the act.
    • Other duties, as prescribed.
    South Personal • Designate a • Covered entities. • Manage data processing. • May not be
    Korea Information privacy officer. • Establish data protection plan. disadvantaged
    Protection Act without justifi-
    • Survey and improve data processing.
    able grounds.
    Article 31(1)
    • Address grievances with data
    Enforcement processing.
    Decree • Build controls to prevent misuse of
    personal data.
    • Educate staff about data protection.
    • Protect, control and manage data files.
    • Implement corrective measures for
    violations and report them to head of
    organization.
    • Establish and implement a privacy
    policy.
    • Maintain materials related to data
    protection.
    • Destroy personal data once process-
    ing purpose is complete or retention
    period expires.

    International Association of Privacy Professionals  •  iapp.org 8


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    Thailand Personal Data • Designate a • Data controllers • Give advice with respect to compli- • Affiliated • Regulator may • Designate in
    Protection Act DPO. and processors ance with the act. controllers and prescribe quali- writing.
    which are (1) • Investigate data processing for processors can fications related • Provide contact
    Sections 41 & 42
    public authorities; compliance with the act. designate a to knowledge or details to data
    (2) engaged in single DPO. expertise. subjects and
    • Cooperate with the regulator.
    regular monitor- • Staff member or regulator.
    ing of individuals • Maintain confidentiality of personal
    contractor.
    on a large scale; data.
    • Must be pro-
    (3) processing • Other duties as assigned that do not
    vided adequate
    sensitive data as conflict with duties under the act.
    tools, equipment
    a core activity.
    and data access.
    • Report to chief
    executive and
    protected from
    dismissal for
    performing
    tasks.
    Uganda Data Protection • Designate a • Institutions (i.e., • Ensure compliance with the act.
    and Privacy Act person as the covered entities
    DPO. other than indi-
    Article 6
    viduals or public
    bodies).
    Ukraine Data Protection • Appoint a unit • State and local • Organize the work related to personal • Notify the
    Law or responsible governments; data protection. Ukrainian
    person to controllers and • Inform and advise the controller Parliament
    Article 24(2)
    organize the processors or processor on observance of the Commissioner
    work related to processing data legislation. for Human
    personal data of particular risk Rights of
    • Cooperate with the Ukrainian
    protection. to the rights and responsible
    Parliament Commissioner for Human
    freedoms of data person, who will
    Rights and appointed officials on
    subjects. then publish the
    compliance.
    • Excludes sole information.
    traders, including
    doctors, attorneys
    and notaries,
    which are person-
    ally responsible.

    International Association of Privacy Professionals  •  iapp.org 9


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    United ADGM Data • Appoint a DPO. Control or pro- • Inform and advise on data protection • Staff member or • Professional • Provide the
    Arab Protection cessing of data requirements. contractor. qualities. Commissioner
    Emirates Regulations from within the of Data
    • Monitor compliance. • Resourced to • Expert knowl-
    Abu Dhabi Global carry out tasks. edge of data Protection
    Articles 35–37 • Raise organizational awareness and
    Market, when: protection law DPO contact
    train staff. • Reports to high-
    • Processing by and practices. details within
    • Advise organization on data protec- est management
    public authority one month of
    tion impact assessments. level. • Ability to fulfill
    or body, except appointment
    • No instructions legally man-
    courts. • Cooperate with the Commissioner of and inform
    or dismissal dated tasks.
    • Core activities Data Protection. Commissioner
    regarding tasks. of a DPO
    require regular • Serve as contact point for data
    and systematic subjects and commissioner. • Bound by resignation
    monitoring of data confidentiality. and reason for
    subjects on a large it within same
    scale. timeframe.

    • Core activities
    include processing
    on a large scale of
    special categories
    of data.
    • Entities with
    fewer than five
    employees are
    excluded unless
    conducting high
    risk processing.

    International Association of Privacy Professionals  •  iapp.org 10


    Legal Training/ Registration/
    instrument Terminology Scope Tasks Structure expertise notification
    United U.K. General • Designate a • Processing by • Inform and advise on data protection • Staff member or • Professional • Publish contact
    Kingdom Data Protection DPO. public authority requirements. contractor. qualities. information and
    Regulation or body, except • Monitor compliance. • Resourced to • Expert knowl- communicate it
    courts. carry out tasks edge of data to ICO.
    Articles 37–39 • Advise organization on data protec-
    • Data controllers tion impact assessments. and maintain protection law
    or processors expertise. and practices.
    • Cooperate with the Information
    whose core activ- • Reports to high- • Ability to fulfill
    Commissioner’s Office.
    ities require regu- est management legally mandated
    lar and systematic • Serve as contact for individuals and
    level. tasks.
    monitoring of ICO.
    • No instructions
    data subjects on a
    or dismissal
    large scale.
    regarding tasks.
    • Data controllers or
    • Bound by
    processors whose
    confidentiality.
    core activities
    include processing
    on a large scale of
    special categories
    of data.
    United Health Insurance • Designate a • HIPAA-covered • Develop and implement the policies • Maintain written
    States Portability and privacy official. entities. and procedures of the entity. or electronic
    Accountability record of
    Act designation.
    Section
    164.530(a)(1)
    Uruguay Law 19670 • Appoint a DPO. • Public entities. • Advise on the formulation, design • Must have tech- • Possess neces- • Communicate
    Article 40 • Fully or partially and application of data protection nical autonomy sary qualifica- appointment to
    Decree 65/020 state-owned policies. and receive no tions to perform regulator within
    private entities. • Supervise compliance with regulations. instructions on tasks. 90 days.
    performance of • Knowledge in
    • Private entities • Propose measures to conform to the
    DPO function. law, specialized
    that process sen- regulations and international stan-
    sitive data as their dards on data protection. • Can be staff or in the protection
    main business and • Liaise with the regulator. contractor. of personal data,
    those that process • Must have full which must be
    • Other tasks as assigned, which do not accredited.
    large volumes of access to per-
    conflict with mandated duties.
    data (concerning sonal databases
    more than 35,000 and processing
    people). operations.

    International Association of Privacy Professionals  •  iapp.org 11

    You might also like