The data protection officer (DPO)
The GDPR contains rules on when it is mandatory for controllers and processors to designate a data protection officer. The Article 29 Data Protection Working Party (WP29) issued guidelines on the data protection officers (DPOs) on 13 December 2016, which were then revised on 5 April 2017, interpreting the respective provisions of the GDPR (Articles 37-39 and Recitals 77 and 97). A Q&A on the data protection officer follows below.
I Designation of the data protection officer (DPO)
1. When is it mandatory to designate a DPO for entities other than public authorities and bodies?
Privately held data controllers and data processors must appoint a DPO if
a) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale OR
b) the core activities of the controller or the processor consist of processing special categories of data on a large scale (for example, personal data revealing ethnic origin, political opinions, trade union membership, genetic data, health data) or personal data relating to criminal convictions and offences OR
c) the laws of the relevant Member State so provide.
As per the guidelines of the WP29, controllers and processors are highly advised to prepare an analysis on whether or not they are required to designate a DPO and to also document the analysis. If the controller / processors come to the conclusion that a DPO must be designated, a written contract must be concluded with him / her.
The WP29 further recommends that if the controller or processor is unable to decide if a DPO must be designated, it is better to designate one. This is because failure to appoint a DPO may result in a fine being imposed on the entity if the authority comes to the conclusion during an inspection that a DPO should have been designated.
1.1 What does "core activities" mean?
Core activities can be considered as the key operations necessary to achieve the controller’s or processor’s goals (e.g. hospitals processing health data in connection with providing health care services, security company providing surveillance services).
1.2 What does "large scale" mean?
The GDPR does not define what constitutes large-scale processing and it is not possible to give a precise number which would be applicable in all situations. The WP29 says that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes "large scale" in respect of certain types of common processing activities.
The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- the number of data subjects concerned (either as a specific number or as a proportion of the relevant population),
- the volume of data and/or the range of different data items being processed,
- the duration, or permanence, of the data processing activity,
- the geographical extent of the processing activity.
1.3 What does "regular and systematic monitoring" mean?
The GDPR does not define what constitutes regular and systematic monitoring but it clearly includes all forms of tracking, while profiling on the internet, however, is not restricted to the online environment. The WP29 guidelines contain some guidance in this regard too. Namely, "regular" means something which occurs at particular intervals, is repeated at fixed times and/or which takes place constantly or periodically, whereas "systematic" means occurring in an organized manner or according to a general plan or strategy.
Examples of regular and systematic monitoring include, amongst others, telecommunication services, data-driven marketing activities, profiling, (credit) scoring, loyalty programs, location tracking, monitoring of fitness and health data via wearable devices, closed-circuit television (CCTV), smart meters.
2. Can a single DPO be designated for the whole group of companies?
The GDPR allows a group of undertakings to designate a single DPO provided that he or she is "easily accessible from each establishment", meaning that the DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and the internal organization of the controller or processor and cooperate with the supervisory authorities concerned.
3. What qualification / expertise does a DPO have to have?
The DPO must be designated on the basis of professional qualities and expert knowledge of data protection law. The necessary level of expert knowledge should be determined in light of the data processing operations carried out. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.
4. Can a "team of data protection officers" be set up?
Yes. As per the guidelines of the WP29, given the size and structure of the organisation, it may be necessary to set up a DPO team consisting of the DPO and data protection experts who assist the DPO in carrying out his / her duties. In such cases, the internal structure of the team and the tasks and responsibilities of each member should be clearly drawn up. If the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client.
The guidelines stress that the DPO must be in a position to efficiently communicate with data subjects and the supervisory authorities concerned. In other words, the DPA must be able to communicate in the language of the data subjects and the supervisory authorities concerned. Setting up a team of data protection officers may also be useful because the DPO may this way, with the help of the team members, become able to communicate with the data subjects and the supervisory authorities concerned in languages the DPO otherwise would not be able to understand.
5. Does a DPO have to be an employee of the controller / processor?
No. The DPO may be an employee of the controller or processor, or fulfil the tasks on the basis of a service contract.
6. Where should the DPO be located?
The GDPR only provides that the accessibility of the DPO should be effective. The WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, the WP29 admits that, in some situations where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his / her activities more effectively if located outside the EU.
7. Do the contact details of the DPO have to be published or communicated to anyone?
The controller or the processor must publish the contact details of the DPO and communicate them to the supervisory authority and to the employees. The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (postal address, telephone number, email address, specific contact form on the controller's or processor's website).
II Position of the DPO
1. Does the DPO have to be involved in data protection-related issues?
The controller / processor has to make sure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The involvement has to be documented.
For example, the controller / processor has to ensure that
- the DPO is invited to participate regularly in meetings of senior and middle management,
- the DPO's presence is recommended where decisions with data protection implications are taken,
- the opinion of the DPO must always be given due weight. In case of disagreement, as a good practice, the controller / processor is strongly advised to document the reasons for not following the DPO’s advice,
- the DPO must be promptly consulted once a data breach or another incident has occurred,
- the controller must seek the advice of the DPO when carrying out a data protection impact assessment (DPIA).
2. Does the controller / processor have to provide support to the DPO?
The controller / processor has to provide the DPO with the resources (premises, facilities, equipment, training) and access to information necessary to carry out his / her tasks.
3. Is it mandatory to draw up a work plan for the DPO?
It is not mandatory but is certainly recommended.
4. Can the controller / processor instruct the DPO?
Controllers / processors are required to ensure that the DPO does not receive any instructions regarding the exercise of his or her tasks. This, however, does not mean that the DPO has a decision-making power beyond his / her tasks. The DPO reports directly to the highest management level of the controller or the processor and the controller / processor remains responsible for compliance with data protection law and must be able to demonstrate compliance.
5. Can the controller / processor dismiss the DPO for performing his / her tasks?
Controllers and processors are not allowed to dismiss or penalize the DPO for performing his / her tasks. This means that no sanction may be applied against the DPO for his /her views. For example, if, in the DPO's view, a data protection impact assessment (DPIA) must be prepared in regard of certain (contemplated) processing activities of the data controller employing the DPO, the controller may not apply sanctions against the DPO just because the controller does not agree with the DPO. In this case, the controller must document why they do not agree with the DPO but the DPO may not be dismissed for his / her opinion and no sanction or the mere threat of any possible sanction may be applied against him / her.
At the same time, however, if the DPO clearly falsely advises the controller in regard of a certain data protection issue (whether intentionally or by way of gross negligence), the controller may have a claim against the DPO for violation of his / her duties as DPO. Concluding otherwise would mean that the DPO would not be responsible for what he / she says.
6. Are there any conflict of interests rules?
Yes. The DPO cannot hold a position within the organisation that allows him / her to determine the purposes and the means of the processing of personal data. As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as CEO, CFO, COO, head of marketing, head of HR, head of IT) but also other roles lower down in the organisational structure if such roles lead to the determination of purposes and means of processing.
It is recommended that the controller / processor identify the positions which are in conflict with the position of the DPO, draw up internal rules and declare (in the agreement with the DPO) that there is no conflict.
III Tasks of the DPO
1. What are the tasks of the DPO?
The DPO's tasks include but are not limited to
- informing and advising the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR,
- monitoring compliance with the GDPR and applicable Member State laws (collection of information, analysis of processing activities, issuance of recommendations),
- assisting the controller with the preparation of a DPIA,
- cooperating with the supervisory authority and
- acting as contact point for the supervisory authority on issues relating to data processing and to consulting, where appropriate, with regard to any matter.
2. Can the controller / processor require the DPO to keep records of processing activities?
Yes. It is the controller and the processor that are required to keep records of processing activities and not the DPO. However, the GDPR only contains a list of tasks the DPO has as a minimum. Therefore, the controller and the processor may assign and are actually advised to assign the DPO with the task of maintaining the record of processing operations. For details on the register of processing activities, please click here.
In my next post, I will address issues concerning the notification of data breaches to the supervisory authorities. For details, please click here.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.