Abstract [eng] |
The Relation of the Responsibility of the Data Protection Officer and the the Data Controller for Compliance with Data Protection Law SUMMARY Since the entry into force of the GDPR, the reform of EU personal data protection law has been implemented. This reform has brought not only positive aspects to data protection law, such as the extension of data subject's rights, increased limits on the data controller's liability, but also many uncertainties. The newly established post of data protection officer is not entirely clear, but rather sufficiently abstract in the GDPR, providing ample scope for differing interpretations. The issue arises when it comes to needing to draw a line in the relationship between the controller and the data protection officer. With the rapid development of information technology and the increasing diversity of potential security threats, the issue of shared responsibility comes into the first place. Therefore, the purpose of this work is to reveal how the responsibilities of the data controller and the data protection officer under personal data protection legislation are delimited. The master 's thesis reveals the concept of data controller and data protection officer, analyzes the duties assigned to the data controller and the principles of activity of the data protection officer. The evaluation of the data protection officer reveals a "different" status in the controller's organization, whether it is an employee of the controller or an external partner. To determine the aspects separating liability, both the separation of liability of these two data protection law subjects to comply with the data protection law norms as well as the delimitation of liability in case of violations of personal data protection, law was assessed. The analysis of legal norms and soft law sources revealed that both the responsibility for compliance with legal requirements and liability for identified violations rests with the data controller. This responsibility is determined by the norms of the GDPR and presupposes the duties assigned to it. The Data Protection Officer is not entitled to take decisions, he is obliged to monitor the data processing process carried out by the data controller and to provide advice on the requirements of the legal acts applicable to the activities of the data controller. The duties held by the data controller and the competence granted automatically result in the occurrence of full liability. The only case in which the liability of the Data Protection Officer may be established is his own fault or improper performance of the contract governing the provision of the Data Protection Officer’s services. |