What are the tasks of the Data Protection Officer?
According to Art 39 of the General Data Protection Regulation (GDPR), data protection officers are responsible for the following tasks in the City of Innsbruck:
- Informing and advising the controller or processor and employees who carry out processing operations with regard to their obligations under this Regulation and other Union or Member State data protection legislation;
- Monitoring compliance with this Regulation, other Union or Member State data protection provisions and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and related audits;
- Advice - on request - in connection with the data protection impact assessment and monitoring its implementation in accordance with Art. 35;
- Co-operation with the supervisory authority;
- Acting as a contact point for the supervisory authority in matters relating to processing, including prior consultation in accordance with Art 36, and providing advice on all other matters as appropriate.
In performing his or her tasks, the Data Protection Officer shall take due account of the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
Other areas of work of the data protection officer?
- The data protection officer and the persons working for him are obliged to maintain confidentiality in the fulfilment of their duties, irrespective of other confidentiality obligations. This applies in particular to the identity of data subjects who have contacted the data protection officer and to circumstances that allow conclusions to be drawn about these persons, unless the data subject has been expressly released from the obligation of confidentiality. The data protection officer and the persons working for him or her may only use the information made available to them for the fulfilment of their duties and are obliged to maintain confidentiality even after the end of their work.
- If a data protection officer obtains knowledge of data in the course of his or her work for which a person employed by a body subject to the data protection officer's control has a statutory right to refuse to give evidence, the data protection officer and the persons working on his or her behalf shall also be entitled to this right insofar as the person entitled to the statutory right to refuse to give evidence has exercised it. Within the scope of the data protection officer's right to refuse to give evidence, his files and other documents are subject to a ban on seizure and confiscation.
- The data protection officer in the public sector (established in forms of public law, in particular also as an organ of a regional authority) is not subject to instructions with regard to the performance of his/her duties. The supreme body has the right to obtain information from the data protection officer in the public sector on matters relating to the conduct of business. The data protection officer shall only fulfil this right to the extent that this does not contradict the independence of the data protection officer within the meaning of Art. 38 para. 3 GDPR.
- Depending on the type and scope of data processing and the organisation of the federal ministry, one or more data protection officers must be appointed within the sphere of activity of each federal ministry. These must belong to the respective federal ministry or the respective subordinate department or other organisation.
- The data protection officers in the public sector pursuant to para. 4 shall maintain a regular exchange of experience, in particular with a view to ensuring a uniform data protection standard.