The controller is solely responsible for the implementation of the EPA and determines the persons responsible for the implementation of the EPA.
The controller should seek advice from the officer, where designated. The controller documents the officer’s advice and decisions within the PVZLP.
Various organizational units or persons within the controller should be involved in the implementation of the CPD (for example, legal department, IT department, marketing department, security department, etc.).
The controller in the implementation of PVZLP may hire external persons or ask for advice or opinion from independent experts (for example: lawyers, IT experts, security experts, sociologists, ethics experts, etc.), depending on the nature of the technological and organizational solutions that will be applied during the operations of personal data processing.
When the processing will be fully or partially carried out by the processor, then the processor is obliged to help the controller in the implementation of the GDPR, whereby the roles, obligations and responsibilities of the controller and the processor are necessarily defined by an agreement in accordance with the regulations for the protection of personal data.
Examples of good practice for engaging persons and involving relevant organizational units in implementing the PPE
|
Good practice |
Example |
|
Consideration and involvement of relevant organizational units in the implementation of PVZLP |
When implementing the PVZLP to establish a loyalty club, the IT department and/or the information system security department should be involved. |
|
Involvement of appropriate experts to obtain professional opinions (lawyers, IT experts, security experts, etc.) |
Before developing an application for remote storage of health data, an expert in the field of medicine should be consulted |
|
Involvement of the officer in the implementation of PVZLP |
The officer may:
|
