Under the General Data Protection Regulation (GDPR), companies that process large amounts of sensitive personal data or consistently monitor data subjects on a large scale will be required to appoint a data protection officer (DPO).
As discussed in our previous posts, the DPO will have significant responsibilities, including reporting on data to the highest management level. While the DPO debate has so far been focussed on where to place the DPO within company structures, confusion remains over the DPO’s actual responsibilities.
Firstly, the GDPR does not provide for any specific liability for the DPO. However, the Art. 29 Working Party addresses this issue in its Guidelines on Data Protection Officers of 13 December 2016. These guidelines state that the controller or the processor remains responsible for compliance with the data protection laws, and accordingly it will be up to the controller or processor to demonstrate compliance, regardless of how much autonomy the DPO is granted.
Therefore, even though the DPO is responsible for assisting the controller or processor in monitoring the internal compliance, the DPO is not personally responsible for any non-compliance with the GDPR. In addition, the GDPR further clarifies that the DPO should not be dismissed or penalised by the controller or the processor for performing his or her tasks.
This does not mean, however, that DPOs are not liable for their activities. The DPO remains liable for non-compliance with general employment, contracts, civil (or tort, within a common law scenario) and criminal rules, as also set out by the domestic laws of the relevant member states.
Accordingly, the DPO can still be dismissed or penalised based not only on obvious grounds unrelated to the DPO role such as theft or harassment, but also on other grounds related to poor performance (or non-performance) of DPO functions.
The DPO is appointed by the controller or the processor on the basis of a consultancy or an employment contract. For example, in Italy, in addition to the breach of the relevant contract provisions, the DPO may be responsible for breach of duty of care (diligenza) required for the tasks to be performed among other things.
The standards for such duty of care are set at a very high level, given the importance of the DPO role and the relevance of data protection activities. Furthermore, the DPO may be responsible for breach of the loyalty obligation (obbligo di fedeltà) towards the employer, for instance in all cases in which a breach of secrecy or confidentiality obligations occurs.
Without prejudice to the DPO’s duty of care, consistent with that set out for the data processors, the DPO shall not be held liable where losses are caused by strict compliance with the data controller’s instructions.
As for responsibilities under criminal law, as a general principle in Italy the data controller (and not the DPO) may be held liable for the crimes set forth under the Data Protection Code (DPC), including the unlawful processing of personal data (trattamento illecito di dati), or the failure to adopt minimum security measures. That said, certain criminal law provisions may remain applicable also to a DPO. For instance, a DPO may be still be held directly liable for violation of secrets or for false statements before the Italian Data Protection Authority.
The above conclusions will apply regardless of whether the DPO is a corporate entity or an individual. That said, it can also be argued any assessment of a DPO’s responsibilities should be linked to the resources they have been allocated. In this respect the GDPR provides that, among other things, companies should support the DPO by providing all resources necessary to carry out their tasks and maintain their expert knowledge. Such knowledge will need to be proportionate to the sensitivity, complexity and volume of data processed by the company.
Should DPOs be put in a position where they are unable to adequately perform their role, for instance with adequate staff and funds for training, their degree of responsibility will likely be reduced. To this end, DPOs should accurately document requests they make for resources to properly carry out their tasks. This might include requests for more team members or time to dedicate their full attention to DPO tasks without being absorbed by other prevailing company duties. In this respect, the WP29 Guidelines may provide a very useful guidance.
Given their expert knowledge, it would be up to the DPOs to determine whether the resources allocated to them are adequate, and raise a red flag to the highest management levels if this is not the case. This issue of the allocation of adequate resources is fundamental as, once appointed, DPOs cannot just say that they are responsible for the overview of only “part” of the company’s processing activities.