Obligations of data processors

The obligations of the processor are determined by the General Data Protection Regulation and the Personal Data Protection Act in several locations.

The General Regulation specifies the general obligations of processors and persons who process personal data on their behalf (processors). Among such obligations are the obligation to implement suitable security measures and the obligation to officially notify on violations of personal data. In accordance with the Regulation, the public sector and companies whose core activities include the collection or processing and require a regular and systematic monitoring of individuals or an extensive processing of specific types of data, shall appoint an official (responsible) person for the protection of data. 

Operators are no longer obliged to report the collections of personal data to the register of personal data collections, while the obligation to keep a record of processing activities remain. Additionally, these obligations go further and must be implemented also by (contractual) processors.

The General Regulation shall also place more emphasis on (prior) implementation of the analysis of impacts on the protection of personal data, in case of security incidents, such as the loss of personal data, however, the obligation to report it to the supervisory authority and in certain cases to inform all affected individuals shall be implemented.

ZVOP-2 lays down rules for individual areas (video surveillance, biometrics, transfer, etc.) and are described in more detail below.

You may notify the Information Commissioner about the designation of DPO in your organisation using this form.