The processing of huge amount or personal data by companies is among the results of the digitization in the business environment in today’s world. As organisations process a huge amount of personal data, the need for a Data Protection Officer (“DPO”) has never been greater.
In accordance with the Regulation (EU) 2016/679 (“GDPR”), it is mandatory in certain cases for organisations to designate a DPO. This is the case for all public authorities and bodies and for other organisations that their core activity is the monitoring of natural persons systematically and on a large scale or the processing of special categories of personal data on a large scale.
Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. What is more, nothing prevents an organisation, which is not legally required to designate a DPO and does not wish to designate a DPO on a voluntary basis to nevertheless employ staff or outside consultants with tasks relating to the protection of personal data.
Upon the designation of a DPO, the organisation must ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data that the organisation processes. In addition, the organisation must provide all the necessary resources to the DPO in order to be able to carry out the DPO’s tasks effectively.
The DPO of an organisation shall directly report to the highest management level of the organisation and must not receive any instructions regarding the exercise of the DPO’s tasks.
Who can be designated as a Data Protection Officer
An organisation may designate a member of the staff as the DPO or receive the services of a third party based on a service contract.
An organisation shall designate a DPO on the basis of professional qualities and in particular, expert knowledge of data protection laws and practices and the ability to fulfil the DPO’s tasks.
◼️ Professional qualities
◾️ Good knowledge in national and European data protection laws and practices.
◾️ In-depth understanding of the GDPR – Regulation (EU) 2016/679.
◾️ Good understanding of the processing operations carried out by the organisation, as well as of the information systems, data security and data protection needs of the organisation.
◾️ Knowledge of the business sector of the organisation.
◼️ Level of expertise
◾️ Adequate expertise based on the sensitivity, complexity and amount of data that the organisation processes.
◾️ Adequate trained.
◼️ Ability to fulfil the DPO’s tasks
◾️ Provided with the necessary resources to carry out the DPO’s tasks.
◾️ Access to personal data and processing operations. The DPO must have complete and timely access to the necessary information from the human resource, legal, IT, security department, etc.
◾️ Be able to report to the highest management level of the organisation.
◾️ In case where the DPO performs also other tasks, the organisation must ensure that these other tasks do not result in a conflict of interests. The organisation must identify prior the designation of the DPO, the positions which would be incompatible with the function of DPO and draw up internal rules in order to avoid conflicts of interests.
◾️ Must have sufficient time to fulfil the DPOs tasks and duties.
Tasks of the Data Protection Officer
In accordance with the Regulation (EU) 2016/679, the Data Protection Officer shall have at least the following tasks:
◾️ To inform and advise the organisation and the organisation’s employees who carry out processing, of their obligations pursuant to the Regulation (EU) 2016/679 and to other Union or Member State data protection provisions.
◾️ To monitor the compliance of the organisation with the GDPR and other Union or Member State data protection provisions, as well as with the policies of the organisation in relation to the protection of personal data. Monitoring includes the collection of information to identify processing activities, analyse the processing activities and provide recommendations to the organisation.
◾️ To assist the organisation in the performance of a Data Protection Impact Assessment (“DPIA”). The DPO should provide advice in case a DPIA is performed, as well as the DPO should monitor the DPIA’s performance. The DPO may advice about what methodology to follow when carrying out a DPIA, what safeguards to apply to mitigate any risks to the rights and interests of data subjects and whether the DPIA has been correctly performed.
◾️ To cooperate with the supervisory authority and act as a contact point, in accordance with the Article 39(1)(d) and (e) of the GDPR. Acting as a contact point includes to facilitate access by the supervisory authority to the documents and information for the performance by the supervisory authority of its tasks in accordance with the Article 57 and its powers in accordance with the Article 58 of the GDPR.
A common practice is the DPO to be assigned also with the task of maintaining the Record of Processing Activities of the organisation. Maintaining a Record of Processing Activities is a duty of the organisation in accordance with the Article 30(1) and (2) of the GDPR, however an organisation may assign the DPO with the task of maintaining the Record of Processing Activities under the responsibility of the organisation. The Record of Processing Activities can be considered as one of the tools that enables the DPO to perform his/her tasks of monitoring compliance with the GDPR and organisations policies, informing and advising the organisation.
The DPO of an organisation is not personally responsible for non-compliance of the organisation with the GDPR rules and obligations. In accordance with the Article 24(1) of the Regulation (EU) 2016/679, data protection compliance is the responsibility of the organisation.
The role of the DPO is important in developing a data protection culture within an organisation. The DPO helps for the effective implementation of essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing and notification and communication of data breaches. What is more, the DPO acts as an intermediary in the relationship between the organisation, the supervisory authority and the data subject.
An organisation may consider as necessary, based its size and structure, to set up a DPO team with a DPO and his/her staff. In such cases, the organisation must clearly design the internal structure of the DPO team and the tasks and responsibilities of each of its members.
In case when an organisation is obliged to designate a DPO, however it fails to comply with this obligation, then the organisation is subject to an administrative penalty of up to 10 million Euro or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Article 29 Data Protection Working Party – Guidelines on Data Protection Officers (‘DPOs’)
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)