02.18 – Roles and Responsibilities

Under the GDPR/GDPR, <<organisation name>> is a data controller and/or data processor.

<<organisation name>> processes a large volume of special category and as such is required to appoint a DPO. <<organisation name>> will opt to appoint an existing staff as long as there is no conflict of interest with any other duties in which they are engaged. <<organisation name>> can also contract the role out to an external provider as long as that provider has the same position, tasks and duties as an internal DPO would have.

It’s essential that this staff or provider has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out and the level of protection required for the data subjects

Name of Data Protection Officer, who the Management Board considers to be suitably qualified and experienced, has been appointed to take the responsibility for <<organisation name>>’s compliance with this policy on a daily basis. In particular, Name of Data Protection Officer has direct responsibility for ensuring that <<organisation name>> complies with the GDPR/GDPR, as do Manager/Executive Directors in respect of data processing that takes place within their area of responsibility.

The Data Protection Officer have specific responsibilities in respect of procedures such as the Subject Access Request Procedure and are the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.

Compliance with the EU/UK data protection regulation is also the responsibility of all Employees/Staff of <<organisation name>> who use/process personal data. <<organisation name>>’s Training Policy sets out specific training and awareness requirements in relation to specific roles and Employees/Staff of <<organisation name>> generally

In addition, <<organisation name>> may engage with jurisdiction representative services. The main role of the representative is to serve as a point of contact and be readily available for supervisory authorities and data subjects regarding data protection matters within the allocated jurisdiction.

The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

Management

  • developing and encouraging good information handling practices within the organisation
  • responsibilities are set out in individual job descriptions.

Data Protection Officer

  • is accountable to management board for the management of personal data within the organisation.
  • ensuring that compliance with data protection legislation and good practice can be demonstrated.
  • is accountable for development and implementation of the GDPR/GDPR as required by this policy
  • is accountable for security and risk management in relation to compliance with the policy
    Employees • ensuring that any personal data about them and supplied by them to the organisation is accurate and up-to-date.

Jurisdiction Representative

  • Point of contact for data subjects
  • Point of contact for supervisory authorities
  • Maintaining a record of processing activities
  • Others