Share This Post
What is the Data Protection Officer?
A Data Protection Officer is the person who is formally tasked with ensuring that the organization is aware of, its data protection responsibilities and obligations according to the GDPR and Member State law.
According to Recital 97 of the GDPR the DPO should be:
“a person with expert knowledge of data protection law and practises”.
Under the GDPR, it is mandatory for certain controllers and processors to designate a Data Protection Officer (“DPO”). This will be the case for all public authorities and bodies (irrespective of what data they process, and for other organisations that- as a core activity- monitor individual on a large scale, or that process special categories of personal data on a large scale.
The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks.
Designation of DPO.
Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
a) where the processing is carried out by a public authority or body;
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data7 or8 personal data relating to criminal convictions and offences
Organizations that are not required to appoint a DPO are free to do so of their own volition. In any case a DPO is appointed, the organisations must publish of the DPO and communicate the relevant supervisory authority.
Public Authority of Body.
The GDPR does not define what constitutes a public authority or body. Such a notion is to be determined under the national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law. In such cases, the designation of a DPO is mandatory.
Article 37(1)(b) and (c) of the GDPR refers to the ‘core activities of the controller or processor’.
Recital 97 specifies that the core activities of a controller relate to
‘primary activities and do not relate to the processing of personal data as ancillary activities’.
Core activities can be considered as the key operations necessary to achieve the controller’s or processor’s goals. However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.
Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered.
According to the recital 91,
“large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk’
On the other hand, the recital specifically provides that
“the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”
In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
• The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
• The volume of data and/or the range of different data items being processed
• The duration, or permanence, of the data processing activity
• The geographical extent of the processing activity
Regular and Systematic Monitoring.
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but the concept of ‘monitoring the behaviour of data subjects’ is mentioned in recital 24 and clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
However, the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behaviour of data subjects.
WP29 interprets ‘regular’ as meaning one or more of the following:
• Ongoing or occurring at particular intervals for a particular period
• Recurring or repeated at fixed times
• Constantly or periodically taking place
WP29 interprets ‘systematic’ as meaning one or more of the following:
• Occurring according to a system
• Pre-arranged, organised or methodical
• Taking place as part of a general plan for data collection
• Carried out as part of a strategy
Role of the DPO.
The DPO has an independent position and is protected by the GDPR.
DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.
Tasks of the DPO.
The DPO shall have at least the following tasks:
a) To inform and advice the controller or the processor and the employees
b) To monitor compliance with the GDPR
c) To provide advice where the requested as regards data protection impact assessment and monitor its performance pursuant to Article 35
d) To cooperate with the supervisory authority
e) To act as the contact point for the supervisory authority