GDPR in practice: When does a company need to appoint a Data Protection Officer?
In the below article we present the most important rules of designation, position and tasks of data protection officers (DPO) based on the recently revised guidelines of the Article 29 Data Protection Working Party.
The DPO plays a key role in fostering a data protection culture within the organization and helps to implement essential elements of the GDPR.
Article 37 (1) of the GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
According to the Working Party’s interpretation, monitoring is considered regular and systematic if it is ongoing or occurring at particular intervals for a particular period, which is pre-arranged, organized or methodical or which is taking place as part of a general plan for data collection or carried out as part of a strategy.
This could be for example email retargeting, data-driven marketing activities, profiling and scoring for purposes of risk assessment or tracking using mobile apps
As we explained in our previous article
, the following conditions should be considered regarding the definition of ‘large scale’ of data:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity.
The Working Party plans to define and publish precise numbers as thresholds in the future.
The GDPR does not define professional requirements for a DPO. In the Working Party’s opinion, the level of expertise should be proportional to the sensitivity, complexity and amount of data processed by the organization. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the structure of the organization as well.
According to GDPR, data controller and processors shall publish contact details of DPO and also communicate these details to supervisory authorities but it does not mean publishing the name of the DPO. Generally, contact details shall mean a dedicated telephone number, email address or postal address but other contacts may be provided as well.
Most important factor regarding the legal state of DPOs is independence
which means that every data controller (processor) is required to ensure that DPOs do not receive any instructions regarding the exercise of tasks - whether or not they are an employee of the controller. DPOs shall directly report to the highest management level of the controller or the processor, allowing them to present a dissenting opinion to the management in case of a decision incompatible with data protection principles. Another important guarantee if the independence of DPOs that they not be dismissed or penalized by the controller or the processor for performing their tasks, in respect of which the Working Party points out that a sanction might be indirect (e.g. delay of promotion) or might be a threat of a penalty.
The other important feature of the position of DPOs is the regulation of conflicts of interest
. According to GDPR, DPOs may fulfil other tasks and duties but these may not result in a conflict of interest. Conflicting positions within the organization may include senior management positions or other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing. The Working Party advises that the vacancy notice for the position of DPO or the service contract should be sufficiently precise and detailed in order to avoid a conflict of interests.
DPOs shall obtain the necessary resources to carry out their tasks and access to personal data and processing operations, as active support by senior management, sufficient time to fulfil their duties, official communication of the designation of the DPO to all staff, and also the adequate support in terms of financial resources, infrastructure, where appropriate.
A DPO’s general task is monitoring compliance with GDPR. As part of these duties to monitor compliance, DPOs may, in particular:
- collect information to identify processing activities;
- analyze and check the compliance of processing activities;
- inform, advise and issue recommendations to the controller or the processor.
In addition, DPOs play an important role in data protection impact assessment also in cooperation and communication with supervisory authorities. Although the GDPR declares that it is the task of data controllers (processors) to maintain a record of processing operations, the Working Party adds that nothing prevents the controller or the processor from assigning the DPO with this task.