The General Data Protection Regulation (“GDPR”) is due to come to force on the 25 May 2018. It presents a reform within the European Union in the area of Personal Data protection, due to the evolving digital age that we live in. The authors of this legislation, inspired by the Personal Data protection rules in some European countries, have introduced a new EU-wide obligation to appoint a Data Protection Officer (“DPO”) within their organizations.
Who is required to appoint a DPO?
Certain Personal Data Controllers and Processors have the mandatory obligation to appoint a DPO:
- If they are a public authority or body. This includes national or regional authorities, a range of other bodies governed by public law and also legal persons governed by public or private law in specific publicly regulated sectors. The latter would include legal persons active in fields of infrastructure, water, gas or electricity supply, public transport services, public broadcasting or disciplinary bodies of regulated professions. This requirement, however, does not apply to courts within their judicial capacity.
- If their core activity requires to monitor individuals regularly, systematically and on a large scale. All these criteria have to be met simultaneously, in order for the Controller or Processor to be required to appoint a DPO. The following should be taken into account:
- A core activity of such is when the processing is an inextricable part of their activity, such as the activity of a hospital is to provide health care or a private security company to perform surveillance of possible data subjects.
- The question of what constitutes large scale processing has not yet been quantified, however, it should include again, as an example, a hospital processing health related patient data, phone or internet service providers processing data on content, traffic, or location data, a search engine processing behavioral data of its users, or an insurance company processing data of clients.
- Regularly and systematically should mean ongoing or reoccurring, while performed in accordance with a strategy or a pre-organized methodology.
- If their core activity requires them to process special categories of Personal Data on a large scale or Personal Data relating to criminal convictions or offences. Special categories of Personal Data mean sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Aside from the mandatory appointment of a DPO, the Article 29 Working Party (a European advisory body providing for interpretation of privacy related issues) encourages Controllers and Processors to appoint a DPO on a voluntary basis, even in cases where they are strictly not required to do so and in this manner, better demonstrate their accountability and perhaps provide for a competitive advantage.
What are the key skills required of a DPO?
Choosing the right person to perform the tasks of a DPO is crucial. The regulation requires a DPO to have a higher level of expertise and knowledge of the processes of an organization in cases of organizations with a higher level of complicity of data. Also, the DPO should have an appropriate support when a large amount of data is processed, therefore the role of a DPO should in these cases be carried out by a well-staffed DPO team. The DPO is required to have a good understanding of the processing operations carried out by the organization, to have sound knowledge of the administrative rules and procedures of the organization, as well as to have an expert level knowledge of the relevant, local and EU-wide privacy legal regulation, always of the GDPR. Additionally, this should include sector specific regulations relevant to the operations of the organization.
What is the position of the DPO in the organization?
Organizations which appoint a DPO, whether required to do so or at a voluntary capacity, need to ensure that the DPO is always informed and consulted when Personal Data processing questions arise. In particular, the DPO should be included in senior level management meetings when privacy issues are discussed; should be given support of the senior management; sufficient time to fulfill their duties; adequate financial resources; continuous training; and necessary access to other services, such as HR, legal, IT or security.
Which employees cannot be appointed to perform the tasks of a DPO?
The organization should always take into account that the DPO has to perform the function independently. Therefore, the DPO should report to and have access to the highest level of management of the organization and be able to clearly voice any dissenting opinion. A DPO cannot hold a position within the organization, where he would be able to determine the purposes and mean of the processing of Personal Data. Specifically, the role of a DPO cannot be performed by a CEO, CFO, COO, head of marketing, head of human resources, head of IT or a legal advisor representing the organization in cases involving data protection issues.
What is the role of a DPO?
As part of their duties to monitor compliance, DPOs shall, in particular:
- inform, advise and issue recommendations to the organization;
- collect information to identify processing activities;
- analyze and check the compliance of processing activities;
- cooperate with and being a contact point for Data Protection Authorities;
- advise the organization whether or not to carry out a Data Privacy Impact Assessment (“DPIA”);
- advise the organization what methodology to follow when carrying out a DPIA; and
- advise the organization whether to carry out the DPIA in-house or whether to outsource it.
Is it possible to appoint an external DPO?
Yes, a DPO can also be chosen from persons not employed by the organization. They can be an individual or an organization which performs the role of the DPO based on a service contract. The advantages include less risk of the external DPO from being involved in any conflict of interest, or that the role of an external DPO is mostly performed by a team of members, who have distinct expertise in specific areas. Also, an external DPO can be of value in the current environment, where a shortage of trained personnel to perform the task of the DPO might be observed.
We at Konečná & Zacha, offer to our clients the service of performing the task of a DPO for their organizations and help our clients comply with the new Personal Data protection rules set out by the GDPR. Should you have any further inquiries to this topic, or need any assistance with the appointment of a DPO in your company, please feel free to contact us and our legal professionals will guide you through the GDPR jungle.