According to Art. 37 (7) GDPR, data controllers (Art. 4 No. 7 GDPR) and data processors (Art. 4 No. 8 GDPR) who have appoint a data protection officer (DPO) are obligat to publish the contact details of their DPO and communicate them to the competent data protection supervisory authority. While contact details are regularly publish on the company’s own website (in the privacy policy), the required notification can be made online, for example, using a specially design form provid by the respective supervisory authority data protection officers.
Running late? data protection officers
However, particularly in the case of a change of DPO – especially at the beginning of the year – the following scenario cannot be ruled out. The controller or processor has already appointed. The new DPO in writing in. December of the previous year, italy business fax list but forgot to update the relevant contact details on its website by. January 1 and to notify the supervisory authority of the change. Once this is notic internally. The information on the website is immediately correc, but given that the notification has not yet been receiv, the following question arises:
Fixed deadline
Currently, indications arise primarily from the standard itself and indirectly from other legal provisions: Firstly, the specific wording of Article suggests that notification must be made proactively (and not only upon request from the authority). Secondly, common resignation email mistakes the legally defined tasks of the DPO under Article 39 . Indicate that the notification obligation must be complied. Wth immediately after the DPO has been appoint. This is because, in principle, communicating contact details to the supervisory authority is . Prerequisite for the DPO to be able to fulfil these tasks – which are incumbent upon them from their appointment. Any deadline other than immediate notification after their appointment would contradict this.
Fulfill obligations
In addition, at least the supervisory authority in Schleswig-Holste is of the opinion that the DPO’s notification to the supervisory authority is also a signal from controllers . Processors that they have (generally) fulfilled their obligation to appoint a DPO and, albania business directoryin the context. The second part of its “Practical series: Implementing data protection regulations in practice”, explicitly demands immediate information in the event of personnel changes in the position of the DPO.
Possible fines
The €51,000 fine imposed on Facebook Germany the. HmbBfDI makes it clear: The appointment of a data protection officer and notification to the supervisory authority are obligations that the GDPR takes seriously . Even minor violations of such obligations can result in significant fines .”