Support
Info
Back to home

General Data Protection Regulation

APPOINTMENT OF A DATA PROTECTION OFFICER

Prepared for: ORGREZ DATA s.r.o., Company ID: 19147261, with registered office at Hudcova 660/76d, Medlánky, 612 00 Brno (“ORGREZ”)

According to Article 37(1) of the GDPR, a controller shall designate a Data Protection Officer (DPO) where:

a) processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

b) the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or

c) the core activities of the controller or processor consist of large-scale processing of special categories of data referred to in Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The ORGREZIO ESG product is a tool for ESG/CSRD reporting (cloud/whitelabel/on-premise). Personal data processed include: name, surname, email, phone number, role, company name, password, access logs and audit logs. Special categories of personal data within the meaning of Article 9 GDPR are not part of the standard configuration of the Application nor part of ORGREZ’s core activities. If they exceptionally appear in client data (e.g., within the “S” module), they are processed exclusively in an incidental and auxiliary manner in the position of a processor, not as part of ORGREZ’s core business activities. In cloud mode, ORGREZ may access data for the purposes of support and maintenance. ORGREZ acts as a processor when providing these services.

Assessment of the applicability of Article 37 GDPR conditions:

a) Public authority/body – NO (private company).

b) Large-scale, regular and systematic monitoring – NO. The operation of security and access logs serves exclusively to ensure the security, integrity and availability of the system and does not constitute the core business activity of ORGREZ. ORGREZ does not perform profiling, behavioral analysis, or systematic monitoring of natural persons within the meaning of interpretative guidelines for Article 37 GDPR.

c) Large-scale processing of special categories – NO. Special categories may occur marginally for certain clients, but this does not constitute ORGREZ’s core activity. At the same time, according to available information, such categories are not processed on a large scale across the client base.

In view of the above, it can be concluded that ORGREZ is not obliged to appoint a Data Protection Officer.

What should trigger a reassessment of whether a DPO must be appointed:

• ORGREZIO ESG begins to routinely (not exceptionally) process special categories of data (e.g., health status, ethnic origin) across clients.

• A feature is introduced that constitutes regular and systematic monitoring of the behavior of natural persons (e.g., tracking employee performance over time with profiling).

• ORGREZ begins to substantially serve public sector entities (which are required to have a DPO and may require this from their suppliers).