It is well known that the General Data Protection Regulation („GDPR“) will apply as of 25 May 2018 and will affect all data processing that relates to the European market. The GDPR introduces numerous new data compliance related obligations for data controllers as well as for data processors located anywhere in the world, if such data processing affects data subjects in the European Union. One of the compliance questions often asked by international clients relates to the issue of whether or not to designate a data protection officer („DPO“): What is the specific role of the DPO and do I have to designate one? Here is a brief overview.
What is the role of a DPO?
According to the GDPR, the data protection officer is the Person who will inform and advise the controller or processor and data processing employees of their obligations under EU or local data protection provisions and monitor compliance with GDPR and other applicable data protection laws.
Is a DPO mandatory?
Companies may choose to designate a DPO on voluntary basis at any time. However, according to Article 37 of the GDPR, a controller or processor must designate a DPO if its core activities are large scale operations of (1) regular and systematic monitoring of data subjects or of (2) processing of special categories of data (Article 9) or personal data relating do criminal convictions and offences (Article 10). However, Member States may establish other requirements related to the designation of a DPO under national law. Germany, for instance, requires companies to nominate a data protection officer if they employ ten or more persons to process personal data, if their processing of data is subject to a data protection impact assessment (Article 35) or if the data processing is for the purposes of transmission or market research.
„If core activities consist of large scale processing…“
The GDPR requirement to designate a DPO is based on the principle that, if the core activities of a controller or processor relate to data processing, this in particular may impact on the fundamental rights and freedoms of natural persons. The term „core activities“ means the key operations necessary to achieve the controller’s or processor’s goals. However, necessary support functions, such as paying wages for employees or operating standard IT and corresponding IT support activities are not considered „core activities“.
Further, a DPO is only mandatory under Article 37 of the GDPR if such activities will be carried out on a large-scale basis. However, the GDPR does not define what constitutes large-scale processing. The Article 29 Data Protection Working Party („WP29“) recommends in its Guidelines on Data Protection Officers (WP 243) that factors like the number of data subjects concerned, the volume of data and the range of different data items being processed, the duration or permanence of the data processing activity and the geographical extent of the processing activity be taken in to consideration. According to WP29, examples of large-scale processing include the processing of customer data in the regular course of business by insurance companies or banks, processing of personal data for behavioural advertising by a search engine or the processing of data by telecommunications service providers.
Only systematic monitoring or processing of sensitive data trigger the DPO obligation
Not all large-scale data processing will trigger the obligation to designate a DPO, even if this processing is a core activity. The GDPR refers only to regular and systematic monitoring and processing of special categories of data, both on a large-scale basis. The WP29 interprets „regular“ as „ongoing or occurring at particular intervals for a particular period“ and/or „recurring or repeated at fixed times“ and/or „constantly or periodically taking place“. To be „systematic“ processing must occur according to a system, be pre-arranged, organised or methodical, take place as part of a general plan for data collection or be carried out as part of a strategy. Profiling and scoring activities, location tracking and monitoring of wellness and fitness would therefore be considered regular and systematic within the meaning of Article 37 of the GDPR. Any large-scale processing of sensitive data as defined in Article 9 of the GDPR, including health data, data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, would require the designation of a DPO.
What about the processor?
Article 37 applies to both the controller and the processor. Each must comply with the requirements set out by the GDPR and in some cases both must nominate a DPO.
May I designate a single DPO for several entities?
Article 37 (2) of the GDPR allows a group of undertakings to designate a single DPO, provided that she or he is „easily accessible from each establishment“. This is linked to the role of the DPO, which requires the DPO to have a sound command of the entity’s local language and be easy for staff and local authorities to contact directly. The WP29 recommends that the DPO be located within the EU in order to comply with the easy access requirement.
What is the Risk?
Any non-compliance with the requirement to designate a DPO is subject to administrative fines up to EUR 10 million or up to 2% of the total worldwide annual turnover of the preceding financial year of the undertaking, whichever is higher.