Who needs a Data Protection Officer? 

This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.

This issue focuses on the appointment and role of the Data Protection Officer ("DPO") and includes the guidelines and FAQs issued recently by the Article 29 Working Party ("Article 29 WP"). These documents are of particular importance as they provide guidance on how to interpret the GDPR requirements regarding the appointment of a DPO. It appears that the Article 29 WP interprets the appointment criteria very broadly. Consequently, many companies - probably many more than initially expected - will be obliged to appoint a DPO.

The Article 29 Working Party's guidelines are not yet final and stakeholders may submit comments through January 2017 to JUST-ARTICLE29WP-SEC@ec.europa.eu or presidenceg29@cnil.fr.

Skip to the end for a quick overview of the main takeaways and to do's.

Appointment of a DPO

Mandatory appointment of a DPO: broad interpretation of the rules

The GDPR requires the appointment of a DPO in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 of the GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.

The obligation to appoint a DPO applies to both controllers and processors. Organizations may appoint a single DPO for various entities provided the DPO can be easily accessed by each entity. The DPO should also be easily accessible to the relevant data subjects and supervisory authorities. This means that the DPO should be able to communicate in the language(s) used by the data subjects and supervisory authorities.

Unless it is obvious that a company does not need to appoint a DPO, the Article 29 WP recommends that companies document their analysis determining whether they need to appoint one.

The Article 29 WP has issued guidelines on the interpretation of the abovementioned criteria. It appears that the Article 29 WP interprets certain concepts rather broadly as further explained below.

Processing by a public authority or body

All public authorities or bodies, with the exception of courts acting in their judicial capacity, must appoint a DPO. The GDPR does not provide a definition of public authority or body. Therefore, this concept should be interpreted in accordance with national law.

Core activities requiring regular and systematic monitoring on a large scale

Companies whose core activities consist of data processing operations requiring regular and systematic monitoring of data subjects on a large scale must also appoint a DPO.

The concept of core activities is interpreted fairly broadly to refer to key operations necessary to achieve the controller's or processor's goals including processing activities that form an inextricable part of the controller's or processor's activities. Please find below a number of examples given in the Article 29 WP guidelines:

  • Processing of patient data by hospitals: The core activity of a hospital is to provide healthcare. However, a hospital cannot safely and effectively provide healthcare without processing health data. Processing of health data forms an inextricable part of the hospital's core activity.

  • Processing of personal data by a private security company. The core activity of a private security company is surveillance of shopping centers and public spaces. To perform this task, the company needs to process personal data of persons visiting the shopping centers and public spaces. The processing of the personal data of the persons concerned is inextricably linked to the organization's core activity.

Another example is:

  • Processing of customer data by a webshop: The core activity of the webshop is to sell goods. However, the webshop cannot do so without processing the personal data of online shoppers.

Regular and systematic monitoring includes all forms of online and offline monitoring of data subjects, including tracking and profiling on the Internet.

The Article 29 WP interprets regular as referring to one or more of the following:

  • ongoing or occurring at particular intervals for a particular period;

  • recurring or repeated at fixed times;

  • constantly or periodically taking place.

The Article 29 WP interprets systematic as referring to one or more of the following:

  • occurring according to a system;

  • pre-arranged, organised or methodical;

  • taking place as part of a general plan for data collection;

  • carried out as part of a strategy.

The GDPR does not specify in objective, quantitative terms what constitutes large-scale data processing. Therefore, each processing activity must be assessed in order to determine whether it constitutes large-scale processing. Such an assessment should take into account the following factors:

  • the number of data subjects concerned;

  • the volume of data and/or the range of different data items being processed;

  • the duration, or permanence, of the data processing activity;

  • the geographic extent of the processing activity.

Please find below a few examples of large-scale data processing provided in the Article 29 WP guidelines.

  • processing of real-time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services;

  • processing of customer data in the regular course of business by an insurance company or a bank;

  • processing of personal data for behavioural advertising by a search engine.

Core activities consisting of the large-scale processing of sensitive data

For an interpretation of core activities and large scale, please refer to the preceding paragraphs.

Sensitive data refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation and data relating to criminal convictions and offences.

Voluntary appointment of a DPO: be careful with the job title!

A company that is not legally required to appoint a DPO may do so on a voluntary basis. However in this case, the relevant requirements of the GDPR (i.e. Articles 37 to 39) will be applicable. In other words, if a company voluntary appoints a person and gives him or her the title of DPO, it must comply with the applicable provisions of the GDPR.

Therefore, if a company wants to entrust an employee or an external party with data protection tasks but wishes to avoid the application of Articles 37 to 39 of the GDPR, the employee or consultant should not be given the DPO job title.

DPO: employee or external party

The position of DPO may be exercised by an employee or an external contractor. In the latter case, all provisions of the GDPR apply to the contractor. This means, amongst other things, that the service agreement may not be terminated for reasons related to the performance of data protection tasks by the external DPO.

Publication and communication of the DPO's contact details

The controller or processor must publish the contact details of the DPO, in order to allow data subjects to easily reach the DPO, and provide them to the relevant supervisory authorities. It is not required to publish the name of the DPO.

Expertise and skills of the DPO

The controller or processor must appoint a DPO with the professional qualities, knowledge of data protection law and practices, and ability to fulfil the tasks prescribed by the GDPR.

Professional qualities

The GDPR does not specify the professional qualities that should be considered when appointing a DPO. According to the Article 29 WP, relevant factors to be taken into account are:

  • expertise in national and European data protection laws and practices;

  • in-depth understanding of the GDPR;

  • knowledge of the business sector and organisation of the controller/processor;

  • understanding of the controller's or processor's data processing operations, IT systems, data security and data protection needs.

Level of expertise

The DPOs level of expertise must be commensurate with the sensitivity, complexity and volume of data processed by the organization.

Ability to fulfil his or her tasks

The ability to fulfil his or her tasks refers to the personal qualities and knowledge of the DPO as well as to his or her position within the organisation. Personal qualities include integrity and high ethical standards.

Position of the DPO

1. The controller or processor must involve the data protection officer properly and in a timely manner in all issues relating to the protection of personal data.

This obligation is crucial. It goes without saying that if the DPO is not properly and timely involved, he or she cannot fulfil his or her role. Therefore, companies should organize themselves so that the DPO is duly informed and consulted as early as possible in any project or activity involving the processing of personal data and any meeting or process at which decisions are taken with regard to personal data processing.

2.The controller or processor must provide the data protection officer with the resources necessary to carry out his or her tasks, access personal data and processing operations, and maintain his or her expert knowledge.

Necessary resources include:

  • active support by senior management; such support is not only important for the proper performance by the DPO of his her role but for GDPR compliance in general as without senior management support, it is impossible to effectively roll out a GDPR-compliant privacy programme;

  • sufficient time for the DPO to fulfil his or her tasks - this is particularly important for part-time DPOs;

  • adequate support in terms of financial resources, infrastructure and staff;

  • access to services such as HR, IT, security, legal, etc.;

  • time and financial support for continuing training.

The more complex and/or sensitive the processing operations, the more resources may need to be allocated to the DPO. Also, depending on the size and structure of the organization, it may be necessary to set up a DPO team.

3. The controller or processor must ensure that the data protection officer does not receive any instructions regarding the exercise of his or her tasks.

This means that the DPO may not receive instructions on how to deal with a certain data protection matter. For example, the DPO may not be instructed on the results to be achieved, how to investigate a complaint, how to interpret data protection laws, etc. In other words, the DPO must be completely autonomous in performing his or her tasks. Of course, such autonomy does not extend beyond these tasks.

4. The DPO may not be dismissed or penalised by the controller or processor for performing his or her tasks.

The GDPR protects the DPO against dismissal or penalties relating to the performance of his or her tasks, thereby creating a new category of protected employee. This protection is limited to the DPO's data protection tasks, meaning he or she may be dismissed or other, unrelated, reasons.

5. The data protection officer shall report directly to the highest management level of the controller or processor.

6.The data protection officer is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with EU or Member State law.

7. The data protection officer may fulfil other tasks and duties. The controller or processor must ensure that any such tasks and duties do not result in a conflict of interests.

This obligation is particularly important for part-time DPOs. DPOs may be entrusted with other tasks provided they do not give rise to conflicts of interest. For example, the DPO cannot hold a position in which he or she determines the purposes and the means of personal data processing. The Article 29 WP states that, as a rule of thumb, conflicting positions include chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department and the HR director.

Tasks of the DPO

The GDPR provides a minimum list of tasks that must be entrusted to the DPO. However, organizations remain free to allocate additional tasks.

In any case, the DPO shall have at least the following tasks:

(a) to inform and advise the controller or processor and employees who carry out processing of their obligations pursuant to the GDPR and other relevant EU/Member State data protection laws;

(b) to monitor compliance with the GDPR and other relevant EU/Member State data protection laws, with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance;

(d) to cooperate with the supervisory authority;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

In the performance of his or her tasks, the DPO must adopt a risk-based approach. This means that the DPO must prioritise his or her activities and focus on issues that present a higher data processing risk.

Sanctions

Non-compliance by the controller or processor with the DPO provisions may be sanctioned by the imposition of administrative fines of up to EUR 10 000 000 or, in the case of an undertaking, 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

It is important to emphasise that the GDPR provides for sanctions for the controller or processor, not the DPO. However, depending on the circumstances, a DPO could be held liable on other grounds under Member State law.

Takeaways and to do's

To view the table click here

 

Relevant provisions

Recital 97

Articles 37, 38 and 39