Under specific conditions the General Data Protection Regulation (GDPR) requires a data controller to appoint a Data Protection Officer or DPO. When do you need to foresee such a Data Protection Officer in your GDPR business strategy, what are his/her tasks and more.
While it’s recommended to have someone who is responsible for personal data protection (and GDPR compliance) and for general data protection, the Data Protection Officer is only mandatory in three circumstances.
When do you need a Data Protection Officer under the GDPR?
You need a Data Protection Officer in following cases:
- The processing (of personal data) is done by public authorities or a public body, with an exception for courts and independent judicial authorities.
- The processing is done by processors who regularly and systematically observe ‘data subjects’ (EU residents) on a large scale.
- The processing involves specific ‘special’ data categories (which are defined in the GDPR), again on a large scale, as processing these special types of personal data is part of your core business. Data regarding crimes and convictions are included here.
Skills and tasks of the Data Protection Officer
A challenge that arises is that the text doesn’t say what exactly ‘large scale’ means although in the list of resources below there are some attempts to put some numbers on it.
Attention though: the numbers that existed in proposals of the GDPR do not exist in the final text. So, you don’t need a DPO when you employ over 250 people nor when your process over 5,000 personal records (even if you will find resources or presentations that say so).
According to the text of the GDPR, as it is published in the Official Journal of the European Union, the Data Protection Officer must:
- Have expert knowledge of data protection, both law and practices, including the GDPR obviously.
- Help the data controller or data processor by monitoring internal compliance with the GDPR (the data controller and processor also need to assist the Data Protection Officer in performing his duties).
- Be able to perform their duties and tasks in an independent manner (although they can be employed by the data controller, in Germany Data Protection Officers have been employed since quite some time).
In non-legalese: you only need a DPO in three specific circumstances. If you are an organization that falls under one or more of these three, you can appoint an external Data Protection Officer or appoint someone within your company.
Moreover, the DPO does not need to be a full-time job so they can be employees with other tasks as well (as long as there are no conflicts of interest).
However, when they are performing duties in the scope of their role as DPO, they must be enabled to work independently whereby reporting is done directly to top management. And do we need to add that a DPO is bound by secrecy and confidentiality?
There is also a duty of registration of the DPO with the European Data Protection Supervisor. The data protection officer, when there is one of course, also needs to be consulted and involved in case a Data Protection Impact Assessment or DPIA is needed.
Last but not least, a DPO can work for several organizations but at the same time he/she is the Single Point of Contact for the organization(s).
The Data Protection Officer and the number of employees
Attention: an often made mistake concerns organizations with less than 250 employees. Amendments have been made and the published text mentions these companies at two occasions:
In the introduction (Recital 13): “To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC”
In GDPR Article 30 regarding the records of processing activities (about the maintaining of a record of processing activities and of a record of all categories of processing activities carried out on behalf of a controller) the data protection officer is mentioned as a possible responsible for these records of processing activities (“where applicable”).
Yet, the text clearly states that “the obligations referred to in paragraphs 1 and 2 (note: the two paragraphs in Article 30) shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10″.
- The mentioned Article 9 concerns personal data regarding highly personal characteristics of the data subject (e.g. race, religion, trade union membership, genetic data, sexual orientation and so forth).
- The mentioned Article 10, as Article 30 already says, is about data relating to criminal convictions and offences.
Nowhere in the articles with regards to the conditions about the duty to have a Data Protection Officer, the number of employees is mentioned.
In other words: beware as it’s the nature of data processed and nature of the organization with regards to data processing activities that comes first in the DPO duty context as mentioned and the exceptions for organizations with less than 205 employees in general are not absolute.
Articles regarding the Data Protection Officer
The official text of the GDPR contains several more articles where the role of the Data Protection Officer is mentioned. This happens across the text as the duties of the DPO and the circumstances in which a DPO can be involved are numerous.
Among the main GDPR Articles on the DPO, however, are GDPR Articles 37, 38 and 39 which, respectively, tackle the designation of the Data Protection Officer, the position of the Data Protection Officer and the tasks of the Data Protection Officer.
Data protection officer designation
GDPR Article 37 sums up the beforementioned conditions under which a controller and processor have to designate a data protection officer and states that a group of undertakings can appoint one data protection officer.
Article 37 further mentions the basis on which a DPO is to be designated such as the professionalism and expert knowledge of data protection law and practices. There are also stipulations regarding DPOs in case the controller or processor is a public authority and the previously mentioned fact that the DPO can be a staff member is also there.
An additional important element to remember – and that responds to, among others, several data subject rights and the several occasions in which the DPO might be called upon, is the fact that the data protection officer’s contact details need to be published and communicated to the supervisory authority.
Data protection officer position
GDPR Article 38 looks a bit deeper at the position, and more precisely, involvement and ‘empowerment’ of the data protection officer.
It is up to the controller and processor to make sure that the data protection officers gets involved in a proper and timely (important!) way in all issues regarding personal data protection.
It’s also in Article 38 that the support, resources and access to personal data and personal data processing operations are mentioned. In other words: he/she must be able to do his/her job. Moreover, the data protection officer must be enabled in maintaining the expert knowledge required for the job.
Further, Article 38 contains rules that must protect the data protection officer from inappropriate interference, establish the reporting lines (directly to top management), demand confidentiality and enable him/her to also do other things, as mentioned as long as no conflicts of interest arise as a result.
Data protection officer tasks
Finally, GDPR Article 39 sums up the tasks of the data protection officer. Or better: it sums up the tasks that the data protection officer has AT LEAST.
These include the duty to inform and advice the controller or processor and the staff that conducts personal data processing operations and the duty to monitor GDPR compliance, work with the supervisory authority, be the contact point for that supervisory authority, also in the case of prior consultation (GDPR Article 36) and offer advice in case a data protection impact assessment or DPIA is required.
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: Jirsak – All other images are the property of their respective mentioned owners.