- Napreden AI iskalnik za hitro iskanje primerov
- Dostop do celotne evropske in slovenske sodne prakse
- Samodejno označevanje ključnih relevantnih odstavkov
Podobni dokumenti
Ogledaj podobne dokumente za vaš primer.Prijavi se in poglej več podobnih dokumentov
Question regarding DPO notification requirements for non-EU/non-Local Controllers and Processors
Z nami najdeš vse. Preizkusi zdaj!
Samo zamislim si kaj bi rada da piše v sodbi, to vpišem v iskalnik, in dobim kar sem iskala. Hvala!
Tara K., odvetnica
Question regarding DPO notification requirements for non-EU/non-Local Controllers and Processors
Datum
12.12.2024
Številka
5424-1/2024/150
Kategorije
Pooblaščene osebe za varstvo podatkov - DPO
We have received your question regarding DPO notification requirements for non-EU/non-Local Controllers and Processors. As you explain the respective controller or processor in question (your client) is not established in the European Union / Slovenia but process personal data of data subjects within Slovenia. This entity has appointed your company (registered in Romania) as their DPO and an EU representative located in another European Union (not in Slovenia). Specifically, your question is:
does your client (controller or processor) need to notify their DPO (your company) to our authority (Information Commissioner of the Republic of Slovenia)?
In the circumstances that you described we are of the opinion that the respective controller should notify the DPO (your company) to the Information Commissioner of the Republic of Slovenia, as controller or processor not established in the Union and not having a main establishment in the Union, where GDPR is applicable on the grounds of GDRP Article 3(2), cannot avail of the one-stop-shop mechanism (see for example: The EU General Data Protection Regulation (GDPR): A Commentary; Christopher Kuner (ed.), Lee A Bygrave (ed.), Christopher Docksey (ed.), Laura Drechsler (ed.), page 698), where they could notify only one Supervisory Authority. Hence the controller should notify Supervisory Authorities in each Member State where the controller/processor is offering goods or services or is monitoring behaviour of the individuals as far as their behaviour takes place within the Union.
Notification can be done by e-mail to: gp.ip@ip-rs.si. Or using the webform (in Slovenian only): https://www.ip-rs.si/pooblascene-osebe.
Furthermore, we would like to point out that the EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union (see Guidelines 3/2018 on the territorial scope of the GDPR, page 24: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf).
Kindest regards,
dr. Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia
Prepared by
mag. Andrej Tomšič, Deputy Information Commissioner