Legal regulation of breach of contracts with Data Protection Officer | Law&Trust International

Since May 25, 2018, after the entry into force of the General Data Protection Regulation (General Data Protection Regulation, GDPR 2016/679), many EU companies are required to accept a new employee for permanent employment. We are talking about an official who will deal with the direction of data protection, or a DPO (Data protection officer).

It is essential to understand that these are critical requirements to comply with the entire regulatory mechanism, since it is this official who is fully responsible for the processing of personal data and the implementation of all other principles of the GDPR, including records of confidentiality, protection, use, data verification (Art. 37 - 39).

Following the open practice of the EU in 2019, it can be argued that lawyers were appointed to perform the functions of the Data Protection Officer, as well as 4th-year law students who have sufficient professional skills and knowledge of data protection regulations to perform the following tasks:

  • Inform the controller and data processor of their obligations regarding the data protection regulations;
  • Monitor compliance with the rules and requirements of the regulations;
  • To be a representative in the supervisory authority for compliance with the regulations;
  • Be a consultant in any situations affecting the regulations.

The peculiarities of legal registration of such a position are dictated by some requirements for the organization of its functions:

  • The area is directly subordinate to the highest authorities of the Company;
  • An area may not receive any instructions for execution from other positions related to data processing, a controller or a data processor, for objective control and organization of labour;
  • The position may perform different functions if they do not contradict the basic job descriptions and are possible in the work schedule and business process of the Company.
  • General legislation does not limit the form of appointment of such an employee, but at the same time provides a reasonably flexible system for accepting such a post to perform the necessary functions. It may be an employment contract, an outsourcing contract (outstaffing), or a contract for the provision of services with the remote performance of work.

In this case, the mandatory requirements for the implementation of such action must be met in contact:

  • An employee cannot work more than 48 hours a day (EU's Working Time Directive (2003/88 / EC);
  • The employee also retains the right to flexible working hours (Brussels, 07/16/2002. Framework agreement on telework);
  • The Company must provide a break of at least 20 minutes if the employee is continuously working 6 hours a day, which is still considered working time.
  • (Decision on the case of Hughes v Corps of Commissionaires Management Ltd), including if the employee provides labour services remotely from the state of the Company (decision on the matter of Russell v Transocean International Resources Ltd 2011);
  • The Company provides four weeks of paid vacation per year (Directive (2005/47 / EC);
  • The Company is obliged to keep up-to-date records of the employee's working time, which perform such work, and consider the job done to be appropriate, and any breaks or vacations such as not provided (Crawford v Network Rail Infrastructure Limited Solution);
  • Mandatory one day off every 7 working days, regardless of the complexity of the work (Maio Marques da Rosa v Varzimsol); provision of holidays during the religious holidays, an additional 48 hours of rest if it is impossible to determine the control time of other employees (Working Time Directive (Directive 2003/88 / EC of November 4 2003)).

However, there are some requirements for the conclusion of a contract with a DPO:

  • A DPO must be independent of the Company because he or she must be able to balance the interests of the organization with the benefits of people whose data can be processed by the organization. In this regard, the role of the DPO is to some extent comparable to the work council that represents the interests of the workers;
  • A DPO cannot represent the interests of an organization before the owners of the data, just as it cannot represent the interests of the owners of the data before state authorities;
  • DPO cannot provide the benefits of state regulatory bodies to the Company, but it is liable for it to communicate changes in legislation for the Company, as well as violations by the Company's employees to state bodies.

Given the above functions of continuous monitoring, information and decision-making, guarantees are established regarding the termination or termination of a contract with a DPO:

Can not be fired or fined by the controller or handler for performing their tasks. "If the DPO finds that specific processing of personal data carries a high risk and requires an assessment of the impact on data protection. If the organization disagrees with the position of its employee, the DPO cannot be dismissed for providing this recommendation, as it can not be rejected for improperly assessing the risk if such risk is unclear or implicit.

It is prohibited to appoint two or more employees to perform the same work at the same time by applying to the different methods of reward and punishment for the same job. Thus, the Company will not be able to eliminate the employee it dislikes, by hiring another employee who will oust him from the business processes and will allow the Company to terminate the Contract after the reorganization - the reduction of one of the posts.

Poor compliance with the law in the course of fulfilling its labour obligations and functions requires an increase in education with the mandatory preservation of the employment contract and not dismissal. Thus, the Company will not be able to apply the "lack of professional skills" or "does not suit professionally" as a justification for dismissal, but must send it for conversion at the Company's expense, retaining a working contract for the time of such education and with the necessary payment of salary.

Not terminating or not properly ending the Contract does not lead to the loss of the employee's right to adequate compensation (payment of receivables) if the Company ceases to cooperate and takes measures that preclude the possibility of fully or partially performing functions.

To ensure the standards of GDPR, business processes, methods of collecting and storing information, as well as methods of regulating the work of employees in the Company to assess the regulations governing an employee's work should be taken into account. Elements that must necessarily be taken into account by the Company and reflected in the Contract:

  1. The exclusivity of the work schedule, which would correspond to the process of the Company (for example, in the case of two offices in different locations with different time zones, you should hire different employees);
  2. The exclusivity of data for verification and data indicators (language, the form of checking, storage methods and technical tools to ensure the activities of the employee must be specified in the Contract);
  3. The exclusivity of the reporting period and the form of such a report (a report and a voting report cannot be filed while the employee is on vacation, on long-term sick leave, or religious holidays);
  4. The exclusivity of employee fixation methods and employee work time (in case of disagreement on the fulfilment of obligations);
  5. The exceptionality of the contract validity with grounds for termination (termination due to disappearances of grounds for concluding an agreement with the second employee to replace the principal during the employee's leave, or long-term illness, pregnancy, or upon expiration of the control obligations of an individual office taken, or clear language requirement);
  6. Exceptional pay for spent labour hours.

In the event of non-compliance with such requirements, the Company will retain obligations to the employees in full if it were to carry out these works correctly regardless of the acceptance of such services by the Company or unilateral termination of the Contract (Negligence Duty vs Nulla negligence principle).

Analyzing the above, we can conclude that the legal regulation of the grounds for breaking the Contract with Data Protection Officer. It is limited not only by law, but also by the Company's care in organizing the work of its employees and drawing up new flexible grounds for protecting its interests, which are not expressly provided for in General Data Protection Regulation, but which correspond to the Company's business process. At the same time, the Contract itself can become indefinite and inseparable, giving the employee maximum freedom and irresponsibility, leaving the right to terminate the Contract based on only unfair contract terms for the employee himself, in cases of negligent inattention of the Company during its drafting.

Our team

Key benefits of legal services offered by Law and Trust International

Benefits of legal services-1
Experience and qualifications. The experience of the L&T International team is more than 15 years. It gives the opportunity for working with cases in many business areas like finance, IT, agriculture, trade and foreign economic activity. Thanks to this experience, our specialists always offer the best selection of services.
Benefits of legal services-2
Comprehensive approach and individual solutions. Law and Trust International always provides a vast range of services for our clients, taking into account the individual characteristics of each particular case. Due to this symbiosis, our specialists always fulfil all the wishes of clients in full and taking into account the requests and preferences of customers.
Benefits of legal services-3
Monitoring and innovation.Our team keeps tracking the newest and most advanced working methods, as well as the latest legislative, financial and economic information events around the world. It allows lawyers of Law and Trust International to quickly and creatively resolve virtually any issues in the field of legal consulting.
Benefits of legal services-4
Privacy and responsibility. The security of our customers' data and respond to them are particularly important in the work of Law and Trust International. For all the time of work, we have not had a single leak of commercial, personal or legal information. It allows us to develop, grow and achieve new opportunities.
Benefits of legal services-5
Reputation and result. A team of lawyers of Law and Trust International always welcomes the success of our clients. Reaching new results, we develop new skills that we successfully use in our work. Thanks to successful cases, our clients and our team, we are creating qualitatively new opportunities to achieve the desired result now.

Clients and partners

Aliplay
Moneypolo
Meridian
Plag
InDriver
Sola
Wanna
BaltBank
MDK
BitSec
SemRush
AAC
sintez
JetTransfer
Abyss
MailRu