As set out in the General Data Protection Regulation (GDPR), a data protection officer (DPO) plays a crucial role in the data privacy landscape. The provisions covering the designation, position and tasks of a DPO are detailed in Articles 37, 38 and 39 of the GDPR.
Who needs to appoint a DPO?
In principle, public authorities and companies that carry out systematic and regular monitoring of data subjects on a large scale, or those whose core activities involve processing special categories of data or criminal convictions on a large scale, should appoint a DPO. However, European Union (EU) Member States have established additional rules for appointing a DPO depending on, for example, the number of employees the company has (i.e., Germany) or the processing activities or industry of the company (i.e., Spain). The appointment of a DPO is not a requirement just for controllers. Processors also must appoint a DPO if they meet the thresholds mentioned above.
Who can be a DPO?
The role of the DPO is to act as an intermediary between the organization, the data protection authorities (DPAs) and the data subjects. Therefore, when appointing a DPO, the contact details for the local DPO in each establishment where the organization is based should be available to data subjects and DPAs. A group of undertakings may appoint a single DPO, provided that the DPO is easily accessible from each establishment. The DPO does not necessarily need to be based in the EU. However, it is useful to appoint a DPO based in the same time zone or who can communicate in the same language as the relevant DPA where the organization is established.
A DPO can be an individual or an organization, and organizations can outsource the role of the DPO or appoint someone within the organization. Before appointing someone internally as DPO, it is important that the organization carries out an ad hoc assessment to determine who can be appointed as a DPO, as some roles (such as the chief information security officer or the general counsel) could end up being in conflict with the responsibilities of a DPO. The DPO cannot have a role requiring them to determine the means and purposes of processing data, and the DPO cannot be the same person as the EU representative, since this role is incompatible with the independence criteria needed for a DPO. The organization also should have internal protocols to ensure that the DPO is independent.
In addition, the DPO should have authoritative knowledge of data protection laws and practices and the ability to fulfill their tasks and should directly report to the highest management level of the organization (ideally, the board of directors). The organization should provide the DPO with the resources necessary to carry out those tasks and access to personal data and processing operations to maintain their expert knowledge.
What are the main functions of a DPO?
The DPO should have at least the following tasks or functions, according to the GDPR:
- Informing and advising the organization and its employees of their obligations pursuant to the GDPR.
- Monitoring compliance with the GDPR and with the policies of the organization in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits.
- Providing advice where requested regarding the data protection impact assessment and monitoring its performance.
- Cooperating with the DPAs.
- Acting as the contact point for DPAs on issues relating to processing, including the prior consultation referred to in Article 36, and consulting, where appropriate, about any other matter.
What happens if we do not agree with the DPO? Can we dismiss the DPO?
It is acceptable for organizations to disagree with the DPO. However, in such cases, they should document their decisions when there is a discrepancy between the DPO and the business, and expressly state why the organization is not following the decision of the DPO.
DPOs do have certain protections to safeguard their independence. Under the GDPR, these protections are not to suffer detriment and dismissal. DPOs are not protected in all circumstances – for example, they can be dismissed for gross misconduct.
Is the DPO liable for the organization’s breaches of the GPDR? What happens if we do not appoint a DPO?
The DPO is responsible for monitoring compliance with the GDPR by the organization, but the DPO is not liable for breaches made by the organization. Failing to appoint a DPO where one is required may attract a fine of 10 million euros or 2% of annual global turnover, whichever is higher.