Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this issue, we will outline the role of the Data Protection Officer (DPO) and detail how it will facilitate compliance with the provisions of the GDPR and, in doing so, contribute to the accountability-based compliance framework for data protection in Europe.
A DPO is a person, either an employee or an external contractor, who is given formal prerogatives to ensure data protection compliance within an undertaking or group of undertakings.
Under the current Luxembourg data protection law, the appointment of a “data protection official” is not mandatory but can be voluntary, and such appointment can exempt organisations from certain obligations such as a prior notification of processing operations to the Luxembourg Data Protection Authority (DPA).
With the GDPR, the appointment of a DPO will become mandatory for some organisations.
Under the current Luxembourg legislation, DPOs have a duty to oversee data protection operations within a company, in an independent manner. They may submit to the Luxembourg DPA a register of the processing operations carried out by the data controller. DPOs are granted with a power of investigation to ensure supervision of compliance by the data controller with the provisions of applicable data protection legislation, and a right to receive appropriate information from the data controller in order to be able to perform their duties and, correlatively, a right to inform data controllers about the formalities that must be carried out in order to comply with applicable requirements.
Although current legislation does not require any organisation to appoint a DPO in Luxembourg, the concept of DPO itself is therefore not new. The practice of appointing a DPO has developed in several Member States for the past 20 years, which created the need to establish a new set of rules, mainly contained in articles 37 to 39 of the GDPR, to support the development of the position within organisations. On 16th December 2016, the Article 29 Working Party (A29WP) has issued guidelines (WP233) to provide businesses with useful information on the appointment and role of DPOs (the “Guidelines”).
I. Which organisations are required to appoint a DPO?
The GDPR makes it compulsory for certain controllers and processors to designate a DPO. This may be the case for all public authorities and companies in the private sector depending on the type of data they process.
Mandatory designation of a DPO.- Article 37 (1) of the GDPR requires the designation of a DPO in the following specific cases:
a) where the processing is carried out by a public authority or body;
b) in the private sector, for organisations that, as a core activity:
- monitor individuals systematically (i.e. periodically, on particular intervals, repeated at fixed times) and on a large scale; and/or
- process special categories of personal data on a large scale (e.g. businesses regularly processing sensitive information such as businesses operating in the health sector).
Such mandatory requirements apply to both data controllers and processors.
The Guidelines provide for welcome guidance with regard to the criteria and terminology used in Article 37 (1) of the GDPR. The term “core activities” shall be understood as “the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms an inextricable part of the controller’s or processor’s activity”. To determine whether the processing is carried out on a “large scale”, the A29WP recommends that the following factors be considered: (i) the number of data subjects concerned (either as a specific number or as a proportion of the relevant population), (ii) the volume of data and/or the range of different data items being processed, (iii) the duration (or permanence) of the data processing activity, and (iv) the geographical extent of the processing activity. The notion of “regular and systematic monitoring” of data subjects includes “all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment”.
Voluntary designation of a DPO.- Even when the GDPR does not specifically require the appointment of a DPO, organisations may find it useful to designate a DPO on a voluntary basis. The A29WP encourages these voluntary efforts towards more data protection compliance. Appointing a DPO should not only be perceived as an expense, but also as a means to optimise existing data privacy processes and to have one specific person dealing with supervisory authorities. Voluntary designation of a DPO may ultimately be considered as an efficient solution to achieve GDPR compliance.
II. Requirements and tasks of a DPO
Professional qualities.- Under the GDPR, the DPO shall be designated on the basis of 3 elements: (i) professional qualities, (ii) expert knowledge of data protection law and practices and (iii) the ability to fulfil the tasks.
Where current applicable law mainly focuses on diplomas, the GDPR favours relevant experience.
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. Such skills and expertise include: expertise in national and European data protection laws and practices (including an in-depth understanding of the GDPR); understanding of the processing operations carried out; understanding of information technologies and data security; knowledge of the business sector and the organisation; and the ability to promote a data protection culture within the organisation.
External DPO.- According to Article 37(6) of the GDPR, the DPO may be a staff member of the controller or the processor (i.e. internal DPO) or “fulfil the tasks on the basis of a service contract”. This means that the DPO can be external and that his/her function can be exercised based on a service contract concluded with an individual or an organisation. In the Guidelines, the A29WP clarifies that when the function of DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact for the client.
Performance of other tasks.- The DPO may also perform other tasks as long as that does not result in a conflict of interest and provided that the other tasks leave the DPO enough time to perform the obligations as DPO. This being said, the DPO cannot hold a position within the organisation that leads him/her to determine the purpose and the means of the processing of personal data. This has to be considered on a case by case basis. The A29WP gives several examples of conflicting positions, it shall mainly include senior management positions (such as CEO, CFO, COO, head of marketing department, head of HR or head of IT), as well as other roles which may lead to the determination of purposes and means of processing.
Group of companies.- The GDPR provides that a group of undertakings may designate a single DPO provided that he/she is “easily accessible from each establishment”. This requirement derives from the fact that the DPO is the privileged contact with regards to data protection issues/points with respect to data subjects, the supervisory authority and also internally within the organisation. The DPO must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language(s) used by both the supervisory authorities and the data subjects concerned.
Under the GDPR, the following tasks fall within the role of the DPO which, he/she in doing so, shall take into account the risks associated with the processing operations: (i) inform and advise the controller or the processor and their employees involved in data processing of their obligations under the GDPR and other data protection laws, (ii) monitor compliance with the GDPR and other applicable data protection laws, as well as with internal data protection policies, (iii) provide advice in relation to data protection impact assessments and monitor its performance, and (iv) cooperate with and act as a point of contact for the supervisory authorities.
In addition the GDPR requires the controller or the processor to publish the contact details of the DPO and to communicate them to the relevant supervisory authorities.
c) Obligations of the controller and/or processor towards the DPO
The controller or processor must provide necessary resources to the DPO to enable the latter to carry out his/her tasks. This includes (i) ensuring that the DPO is involved in all data protection issues (properly and in a timely manner), and (ii) providing for adequate safeguards to enable the DPO to perform his/her tasks in an independent manner (i.e. no instructions by the controllers or the processors regarding the exercise of the DPO’s tasks; no dismissal or penalty by the controller or processor for the performance of the DPO’s tasks; no conflict of interest with possible other tasks and duties).
If a business fails to fulfil its obligations regarding the appointment and support of a DPO, it may face fines under the GDPR up to a maximum of the greater of €10 million or 2% of the worldwide turnover.
III. What to consider when appointing a DPO
As previously mentioned, the DPO ought to become an essential member of your organisation, who shall, while remaining independent, conduct your company’s or even group’s GDPR data protection compliance.
Therefore, before appointing a DPO, whether it is required by the GDPR or by voluntary appointment, companies should consider the following elements:
- Should the DPO be internal or external (i.e. a consultant)?
- If it is considered that the DPO should be internal to your organisation, can you count on existing personnel or should you hire a new profile?
- Is it sufficient to share the DPO with other companies of the group or should each entity have its own DPO? If you decide to appoint one DPO for the group, in which country should he/she be established?
- Should the DPO’s duties be limited to data protection or will the DPO be given other tasks (e.g. legal, compliance)?
- What level of expertise is required taking into account the processing operations performed by the company/group?
- How should the DPO be integrated with other business functions (e.g. HR or IT)?
IV. Liability of the DPO
One question remains: will DPOs be personally liable if their organisation fails to comply with the GDPR?
The quick answer is “no”. DPOs are not personally responsible in case of non-compliance with the GDPR. Data protection compliance remains the responsibility of the controller or the processor. Indeed, the GDPR makes it clear that it is up to the controller or the processor to ensure and to be able to demonstrate that the processing of data is performed in accordance with its provisions.
It seems that negotiators compromised on the criteria to appoint a DPO. The general requirement for the public sector to appoint a DPO has not been the subject of a change of approach between the various versions of the GDPR.
Although an initial draft of the GDPR limited mandatory DPO appointments to companies with more than 250 employees, the final version did not retain such thresholds, which leaves us with broad concepts to interpret such as “core activities” and “large scale”.
While the majority of businesses may not be required to appoint a DPO, we can only encourage you to do so voluntarily to ensure compliance with the provisions of the GDPR and demonstrate accountability, so that it becomes a competitive advantage for your business.
Assess whether your organisation is required to designate a DPO
- if so, consider how to best comply with this requirement and determine whether he/she should be internal or external
- if not, consider the opportunity of a voluntary appointment to centralise responsibility for new compliance obligations under the GDPR
In both cases where your organisation would appoint a DPO (i.e. whether it is required by the GDPR or voluntary) we recommend evaluating various factors (cf. section III. What to consider when appointing a DPO) to make an informed choice.