white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Under the EU GDPR, <strong>on</strong>ly certa<strong>in</strong> <strong>data</strong> c<strong>on</strong>trollers are required to designate a DPO. 755 Some<br />
provisi<strong>on</strong> is also made to ma<strong>in</strong>ta<strong>in</strong> the <strong>in</strong>dependence and effectiveness of this officer. 756 The<br />
tasks of the DPO <strong>in</strong>clude <strong>in</strong>form<strong>in</strong>g and advis<strong>in</strong>g <strong>on</strong> as well as m<strong>on</strong>itor<strong>in</strong>g compliance,<br />
advis<strong>in</strong>g <strong>on</strong> and m<strong>on</strong>itor<strong>in</strong>g the performance of DPIAs, cooperat<strong>in</strong>g with the supervisory<br />
authority and act<strong>in</strong>g as the authorities‘ c<strong>on</strong>tact po<strong>in</strong>t <strong>on</strong> all relevant issues. 757<br />
Canada<br />
Under the PIPEDA, an accountability framework is built around certa<strong>in</strong> <strong>in</strong>dividuals who have<br />
been designated by an organisati<strong>on</strong> for compliance with accountability provisi<strong>on</strong>s 758 and for<br />
receiv<strong>in</strong>g challenges/compla<strong>in</strong>ts regard<strong>in</strong>g compliance. 759 The PIPEDA also states that the<br />
designati<strong>on</strong> of such <strong>in</strong>dividuals does not relieve organisati<strong>on</strong>s of their duty to comply with<br />
obligati<strong>on</strong>s. 760<br />
South Africa<br />
The POPI Act adopts the designati<strong>on</strong> of an <strong>in</strong>formati<strong>on</strong> officer from the Promoti<strong>on</strong> of Access<br />
to Informati<strong>on</strong> Act, 2000. 761 Further, it provides for certa<strong>in</strong> additi<strong>on</strong>al obligati<strong>on</strong>s for the<br />
<strong>in</strong>formati<strong>on</strong> officer such as encourag<strong>in</strong>g organisati<strong>on</strong>al compliance with the relevant law,<br />
deal<strong>in</strong>g with requests made to the body under that law, and work<strong>in</strong>g with the Informati<strong>on</strong><br />
Regulator <strong>in</strong> relati<strong>on</strong> to <strong>in</strong>vestigati<strong>on</strong>s. 762<br />
2.16 Provisi<strong>on</strong>al Views<br />
1. The effective enforcement of a <strong>data</strong> protecti<strong>on</strong> law may require some form of<br />
differentiated obligati<strong>on</strong>s so that certa<strong>in</strong> entities covered under the framework whose<br />
process<strong>in</strong>g activities create higher degrees of risk or may cause significant harm can be<br />
more readily engaged with and guided <strong>in</strong> ensur<strong>in</strong>g compliance with relevant<br />
obligati<strong>on</strong>s.<br />
755 Article 37, EU GDPR. (The provisi<strong>on</strong> outl<strong>in</strong>es three situati<strong>on</strong>s <strong>in</strong> which the obligati<strong>on</strong> to appo<strong>in</strong>t a DPO<br />
arises: first, for a public authority or body (except a court) carry<strong>in</strong>g out process<strong>in</strong>g; sec<strong>on</strong>d, where the c<strong>on</strong>troller<br />
core activities require regular, systematic and large scale m<strong>on</strong>itor<strong>in</strong>g of pers<strong>on</strong>s; and third, where such core<br />
activities require large scale m<strong>on</strong>itor<strong>in</strong>g of certa<strong>in</strong> special categories of <strong>data</strong>).<br />
756 Article 38, EU GDPR. (The DPO may be a staff member or may be <strong>on</strong> a service c<strong>on</strong>tract. It is further<br />
mandated that the DPO is to receive adequate support and should not be <strong>in</strong>structed <strong>on</strong> his <strong>data</strong> protecti<strong>on</strong> tasks or<br />
dismissed or penalised for perform<strong>in</strong>g them. Any other tasks he is asked to fulfil should not create any c<strong>on</strong>flict<br />
of <strong>in</strong>terest).<br />
757 Article 39, EU GDPR. Further, there is no provisi<strong>on</strong> <strong>in</strong> the UK DPA for the appo<strong>in</strong>tment of a DPO: See Anita<br />
Bapat and Adam Smith, ‗United K<strong>in</strong>gdom: Data Protecti<strong>on</strong> 2017,‘ Internati<strong>on</strong>al Comparative Legal Guides<br />
(ICLG) (15 May 2017), available at: https://iclg.com/practice-areas/<strong>data</strong>-protecti<strong>on</strong>/<strong>data</strong>-protecti<strong>on</strong>-2017/unitedk<strong>in</strong>gdom,<br />
(last accessed 6 November 2017).<br />
758 Pr<strong>in</strong>ciple 1 of Schedule 1, PIPEDA (Accountability).<br />
759 Pr<strong>in</strong>ciple 10 of Schedule 1, PIPEDA (Challeng<strong>in</strong>g Compliance).<br />
760 Secti<strong>on</strong> 6, PIPEDA. Further, there is no provisi<strong>on</strong> <strong>in</strong> the Australian (Privacy Act) for for the appo<strong>in</strong>tment of a<br />
DPO: See Melissa Fai and Alex Borowsky, ‗Australia: Data Protecti<strong>on</strong> 2017‘, Internati<strong>on</strong>al Comparative Legal<br />
Guides (ICLG) (15 May 2017), available at: https://iclg.com/practice-areas/<strong>data</strong>-protecti<strong>on</strong>/<strong>data</strong>-protecti<strong>on</strong>-<br />
2017/australia, (last accessed 6 November 2017).<br />
761 Secti<strong>on</strong> 1, POPI Act.<br />
762 Secti<strong>on</strong> 55, POPI Act.<br />
171