• Ellex Raidla’s data protection practice group offers organisations the service of a data protection officer i.e. DPO.
  • There are two options available:
  • Which organisations need to appoint a DPO?
The data protection officer regulation is not novel in the GDPR and is created on the basis of the previously existing regulation of the personal data protection directive. Until now appointing a person responsible for personal data protection has been voluntary but the implementation of the GDPR subjects certain institutions and companies to the obligation to appoint a data protection officer (DPO). In the context of the GDPR, Estonian and EU supervisory authorities recommend appointing a person responsible for data protection even when it is not mandatory for the company or institution.
The respective official must be appointed by (whether internally or subcontracted): all public sector institutions (excl. courts) and many private sector entities: real estate companies, financial institutions, online shops, travel agencies, employment agencies, collecting agencies, health care service providers, telecommunication companies, market research companies, people engaged in research activity, accommodation services, security companies etc. The list of areas of activities is not exhaustive.
Pursuant to the GDPR, it is mandatory to appoint a DPO when:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
  • The service is intended for:
1. Authorities and companies obliged to appoint a DPO under the GDPR;
2. Companies who consider it necessary to appoint a person responsible for data processing to implement the GDPR.
  • The content of the service is:
1. Notifying and advising the client about personal data protection requirements under the GDPR and other legal acts applicable to processing;
2. Assessment of risks concerning processing activities, considering the manner, scope, context and purposes of personal data processing;
3. Monitoring compliance with personal data protection principles and requirements and making proposals for the division of areas of responsibility, incl. the drafting of respective rules, agreements and other documents;
4. Increasing the awareness and training of staff engaged in personal data processing;
5. Participation in audits concerning personal data protection, incl. data protection impact assessment;
6. Analysis of and advising on processing processes to ensure compliance with data processing requirements;
7. Notifying the supervisory authority and data subject about personal data breaches;
8. Providing guidelines for the recording of processing activities;
9. Advising data subjects on matters concerning data processing conducted by the Client;
10. Cooperation with supervisory authorities, incl. prior consultations and the contact person function;
11. Other tasks as agreed on by the parties.
  • Added value of the service
The data controller and processor shall provide the data protection officer resources necessary to carry out his/her tasks and maintain his or her expert knowledge. In the course of the service, the respective resources are gathered so that the service provider can give the Clients high-level and updated information concerning their area of activity and practice, incl. risk assessment and trends, legislative developments and the best practices applicable in the Client’s activity.
The service providers also make available to the clients materials and solutions that can be implemented in the company to comply with personal data protection requirements and ensure this compliance (examples of respective rules, documents etc. and guidelines).
  • Obligations arising from the service
 In order to ensure the proper provision of the service, the Client gives the service provider access to the documentation concerning data processing, decision-making and work processes and persons responsible for ensuring personal data protection requirements.
  • Restriction of liability
 The service provider shall not be personally held liable for personal data breaches and the possible resulting claims.
  • Other matters
The service provider ensures secrecy and confidentiality in relation to the performance of the tasks.
Both parties shall ensure that a conflict of interest does not result from the performance of tasks and obligations.
  • Why choose us?
In light of the new general data protection regulation (GDPR), Ellex Raidla has put together a special WORK GROUP. The work group is led by partner Ants Nõmper and DPO services are provided by Merlin Liis.
  • 20 years of experience with advising on complicated data protection matters and processes
  • Members of the work group regularly lecture on IT, cyber security and data protection at various conferences, seminars as well as in Tallinn University and Tallinn University of Technology
CAPACITY: we have the largest team specialised in data protection amongst law firms and we can engage experts from other practice areas of the firm, depending on the client’s area of activity (finance, energy, medicine, start-ups, commerce etc.), to effectively perform the task.
PAN-BALTIC SERVICE: Ellex offices in Estonia, Latvia and Lithuania work together daily to assist clients with pan-Baltic operations in implementing the GDPR.