The appointment of a data protection officer: pilot of the governance of personal data
Rolland has appointed a data protection officer: Anthony COZIEN – ROLLAND Company – ZA des moors – 29800 TREFLEVENEZ – firstname.lastname@example.org
Rolland enables the Data Protection Officer to maintain his specialized knowledge, for example through participation in training courses or by subscribing to specialized newsletters. In addition, Rolland places at the disposal of the data protection officer the resources and working conditions necessary for the performance of its duties.
The data protection officer will be received by senior management as often as his duties require.
The data protection officer has at least the following tasks:
- Inform and advise those who process the data and employees about their data protection obligations
- Analyze processing projects and treatments in terms of processing, proportionality, minimization of collected data, lawfulness of processing, security of data collected, recipients of data collected, management of relations with sub-funds processors, clear and prior information on the conditions of persons subject to the penalty, the conditions for the exercise of the rights of individuals, and the collection of data transfers outside the European Union.
- Monitor compliance with data protection regulations and the internal rules of the controller, including the division of responsibilities, awareness and training of staff involved in processing operations, and audits relating thereto
- Provide on-demand advice on the data protection impact assessment and verify the implementation thereof
- Cooperate with the supervisory authority; act as a point of contact with the supervisory authority on treatment issues, and cooperate with them
The data protection officer relies on a network of interlocutors who will have to enter it and provide it with information in good time.
Rolland creates a Governance and Ethics Committee for Data Protection.
It is a place of debate of ethical issues around the exploitation of data by Rolland. In fact, beyond compliance, some farms may not be desired. The Committee sets the limits and defines what is not compatible with Rolland’s values.
The Committee will meet regularly and may be referred to specific issues by the data protection officer requiring his or her opinion.
The members of the Governance Committee are the Data Protection Officer and a member of management. The committee may refer the matter to the management committee for any questions relating to data protection.
The main mission of this Committee will be to provide feedback from the various operational departments and to prepare the necessary documents for compliance.
It assesses and prevents data protection risks and resolves or assists teams in resolving issues.
Effectiveness of the rights of individuals: procedure for managing complaints and exercising the rights of individuals
The management of claims and requests for the exercise of the rights of individuals is managed by the data protection officer.
Claims and requests will be treated on a case by case basis (right of access, rectification, erasure, limitation of treatment, portability, define the fate of his data after his death).
The Data Protection Officer will act as a point of contact for the data subjects and will manage the processing of complaints. These will be sent to the email address email@example.com.
Internal and external policies
Rolland has established two data protection policies, one internal concerning the data protection of employees and the other external concerning the protection of data of customers and prospects.
These data protection policies include all the principles necessary to ensure the implementation of fair and transparent treatment. They will include, in particular, the data controller’s contact details, the data protection officer’s details, as well as the principles set out in the general European Data Protection Regulation, in particular with regard to the implementation of lawful processing, compliance with rights of persons, possible transfers to a third country, recipients of the data collected, the retention period of the data collected, data security measures.
The Data Protection Officer monitors compliance with the data protection policies put in place.
These policies will be reviewed and updated as necessary, at least every three years.
Data Protection Charter
In order to disseminate the good practices that everyone in the organization has to respect in terms of protection, a data protection charter will be established.
This charter will specify the main principles of data protection applicable (purpose determined, explicit and legitimate, relevance of data with regard to the purpose of processing, limited retention period, restriction of access to data, physical security measures and logic, information to the data subjects and, if necessary, the relative rules for data transfers outside the European Union).
It will determine the roles and responsibilities of the different actors.
Validation process for data protection activities
All outgoing documents, whether contracts or data collection forms, will be stamped by the Data Protection Officer to ensure that the documents comply with the legal requirements.
Prior consultation of the Data Protection Officer
The data protection officer will be consulted prior to any project deployment that has an impact on data protection by the project manager and any operational staff wishing to implement a personal data processing or modify one. It is systematically associated upstream with the reflections on all questions relating to the protection of the data. It will carry out an analysis and whenever it deems it necessary, with the aim of introducing the respect of data protection by default and at the design stage of the project.
The data protection officer will be responsible for the analysis of the situation. In this case, the data protection officer will inform the project manager of the need to carry out a risk analysis for the processing concerned. In this respect, the data protection officer may ask a third party to intervene.
The data protection officer is consulted for any impact assessment and verifies its implementation. In any case, the results of the impact assessment are given to the data protection officer who will make his recommendations before the implementation of the treatment. If the controller does not follow the data protection steward’s recommendations, the impact assessment documentation must mention the reason for doing so.
Register of treatments
Rolland will draw up a register of the treatments implemented within it to comply with the provisions of the European Data Protection Regulation.
The designated interlocutors in the operational directorates will have to make sure that the treatments listed by their management in the register are kept up to date. In the event of a change in the implementation arrangements, they must inform the data protection officer.
Given the new requirements for reporting security vulnerabilities to the CNIL, a procedure and a policy for responding to a security breach or incident will be established.
The procedure shall include, in particular, a notification obligation of the competent supervisory authority, if possible within 72 hours of becoming aware of the violation, as well as the actions to be taken depending on the case, in particular the information of the persons, filing a complaint.
Evaluation of the data protection compliance scheme
The data protection officer monitors compliance with computer constraints and freedoms. It ensures that the policies and procedures defined in this area are respected and can expedite or conduct audits for a periodic compliance review to ensure that the treatments considered most sensitive to risks are implemented. in compliance with legal requirements.
In case of discrepancies, the data protection officer will inform the general management of a remedial action plan.