Data Protection Officer
In this page you will understand the role of the Data Protection Officer (DPO) at EPFL.
The role of the data protection officer (DPO)
Why a DPO is needed?
- As federal body, EPFL must designate a data protection officer (DPO) to oversee:
- compliance with data protection laws and regulations
- risk-mitigation efforts with regard to non-compliance.
- When EPFL serves as a data controller1, it must also:
- take the appropriate measures to protect the personal data
- demonstrate compliance with legal requirements including when the processing of personal data is subcontracted to third parties as “data processors.”
What does the DPO do?
- Assists the EPFL community with issues related to personal data protection.
- Informs and advises the EPFL community of their obligations under the law.
- Monitors compliance with data protection laws, such as through audits, awareness-raising activities, staff training and more.
- Coordinates EPFL’s record of processing activities.
- Advises on data protection impact assessments (DPIAs) and monitors performance.
- Acts as a contact point for requests from individuals on:
- how their personal data are processed
- how to exercise their rights.
- Cooperates with data protection authorities (DPAs) and acts as a contact point for them (e.g., in the event of a data breach).
- Presents EPFL’s upper management a yearly report.
What does the DPO not do?
- The DPO is not personally liable for data protection compliance. This liability falls to EPFL as a data controller. Non-compliance may result in:
- negative consequences or damage to data subjects
- damage to EPFL’s image (reputational risk)
- material legal and/or financial consequences (e.g., fines or the loss of EU research grants).
- The DPO is not responsible for the protection of all kinds of data (e.g., animal data).
- The DPO does not implement measures to protect personal data.
- The DPO advises on the measures to be taken, but implementation is the responsibility of the data controller.
When should the DPO be called on?
- The DPO should be contacted:
- Immediately in the event of a data breach (see: How to notify a data breach)
- Early on in your research or administrative project to help you with the legal requirements. Some projects require researchers or administrarive project managers to conduct a data protection impact assessment (DPIA) before starting, and the DPO can help you with that. The DPO can also advise you on privacy by design – a fundamental principle in data protection that can help you prevent data breaches and manage personal data efficiently.
DPO independence
- Data controllers cannot give the DPO any instructions for performing the DPO’s tasks.
- The DPO cannot have any conflicts of interest.
- ↑ Data controller : Who sets the purposes for which and the means by which personal data are processed datacontroller-back