Article 37(1) of the GDPR provides that the controller or processor must appoint a Data Protection Officer (DPO) in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller/processor require regular and systematic monitoring of data subjects on a large scale;
- the core activities consist of processing on a large scale of "special categories of data" (art.9) or data relating to criminal convictions.
The Article 29 Working Party (WP29) has given some useful guidelines concerning the obligation to appoint a DPO and the position of the DPO (see: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083).
In general, the WP29 recommends appointing a DPO (i) if in doubt whether the appointment of a DPO is mandatory, and (ii) as best practice, even for organisations which are not legally obliged to do so. Importantly, however, where a DPO is voluntarily appointed, the requirements of the GDPR will nevertheless apply to his/her appointment, position and tasks.
Clearer definition and interpretation
As mentioned above, some terms have been further defined and interpreted by the WP29:
- "public authority or body": this notion must be determined under national law. Typically, this includes national, regional and local authorities as well as other bodies which are governed by public law;
- "core activities": core activities are the "key operations necessary to achieve the controller or processor’s goals". As an example, WP29 states that "the core activity of a hospital is to provide health care. However a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing the data should be considered to be one of any hospital’s core activities, and hospitals must therefore designate a DPO".
The WP29 points out that the core activities must not be confused with the necessary support functions/activities which are carried out by every organisation but which do not fall under what one could call the controller or processor’s company purpose (e.g. paying employees or having standard IT activities).
- "large scale": WP29 does not give a precise definition of the term "large scale" but rather cites a number of factors which should be taken into consideration when determining whether the processing can be described as being carried out on a "large scale". These are the following:
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration or permanence of the data processing activity; and
- the geographical extent of the processing activity.
Examples of large-scale processing are: processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, etc.
- "regular and systematic monitoring": includes "all forms of tracking and profiling on the internet". However, the notion of monitoring should not be restricted to the online environment.
The term "regular" must be interpreted as meaning one or more of the following:
- ongoing or occurring at particular intervals for a particular period;
- recurring or repeated at fixed times;
- constantly or periodically taking place.
The term "systematic" means one or more of the following:
- occurring according to a system;
- pre-arranged, organised or methodical;
- taking place as part of a general plan for data collection;
- carried out as part of a strategy.
To be considered as regular and systematic monitoring: operating a telecommunications network, email targeting, loyalty programs, etc.
The DPO, the Great Unknown
WP29 gives some general guidelines on the function and tasks of the DPO.
- Where a group of undertakings wants to appoint a single DPO, he/she should be easily accessible, not only externally (contact with the supervisory authority and data subjects, in the language of the supervisory authority and data subjects), but also internally (as one of his/her tasks is informing and advising the controller/processor).
- Personal availability of the DPO is essential to ensure that data subjects can contact the DPO (physically or via hotline or other secure means of communication).
- The DPO should be a qualified professional. Depending on the complexity of the data processing activity, the DPO "may need a higher level of expertise and support". Therefore, the DPO should be chosen carefully, taking into account the nature of the processing activities.
- The DPO should have a thorough knowledge of the GDPR and an expertise in national and European data protection law.
- The DPO should also be involved from the start in all issues relating to data privacy within the organisation.
- As good practice, the name and contact details of the DPO should be submitted to both the supervising authority as well as to the staff of the organisation, so as to ensure that the DPO is easily accessible.
- To carry out his/her tasks, the DPO should be provided with all necessary resources, such as active support by the senior management, sufficient time to fulfil his/her duties, financial resources, infrastructure and, if appropriate, staff, necessary access to other services such as HR, legal, IT, etc. As a general rule, the more complex/sensitive the processing is, the more resources must be given to the DPO.
- The DPO may not be sanctioned/penalised as a result of performing his/her functions of DPO. However, the DPO may still be legitimately dismissed for reasons other than performing his/her tasks as a DPO (e.g. theft, sexual harassment, gross misconduct, ...).
- The DPO should monitor compliance with the GDPR. In the framework of this task, the DPO may collect information to identify processing activities, analyse and check the compliance of processing activities, and inform/advise the controller/processor.
- It is possible to appoint an external service provider as DPO. If the external service provider works with a team of individuals to carry out the function of DPO, each member of the team must meet the relevant requirements of the GDPR with regard to the DPO, and will also be protected by the provisions of the GDPR (e.g. no unfair termination of service contract for activities as DPO).
- The DPO may not hold a position within the organisation which would lead him/her to determine the purposes and means of the processing of personal data, as this could result in a conflict of interest. Organisations must assess this on a case-by-case basis and could, for instance, identify which positions are considered incompatible with the DPO function.
- DPOs are not personally liable in case of non-compliance with the GDPR.
Although WP29 guidelines do not give a clear yes/no answer, they give some useful guidance to controllers/processors, who will have to assess whether or not they are obliged to appoint a DPO and, if so, whom they will appoint and what the scope will be of the DPO’s function.