Should I appoint a Data Protection Officer under the GDPR?
On Friday 25 May 2018, it will be definite. On that day the European General Data Protection Regulation (GDPR) will come into force and replace the current Data Protection Act.
In the blog of 31 May 2017 we gave you 10 tips to get your organization ready for the European General Data Protection Regulation (GDPR). In this blog I will explain in more detail tip 4: judge whether your organization is obligated to appoint a Data Protection Officer.
Under the effect of the GDPR certain organizations will have the obligation to appoint a so called Data Protection Officer (DPO).
To whom does this obligation apply?
This obligation applies to both Controllers and Processors (in the sense of the GDPR) which are:
- a government organization or government body; or
- mainly in charge of:
- regular and systematic large-scale monitoring of persons; or
- large-scale processing of particular personal data or personal data related to criminal convictions.
Particular personal data are data on health, racial origin, belief, sexual orientation and such.
Government organizations must therefore always appoint a DPO, irrespective of the task of these organizations.
As far as private organizations are concerned the nature and extent of the processing are determinative. The influential advisory body WP29 gives the following examples:
- The core task of a hospital is providing medical care. This task cannot be carried out properly though without storing the medical data of the patients, combining them with other medical data and sharing them in the hospital for example with general practitioners et cetera; in other words: without processing these particular data. Processing of such medical data therefore falls under the core tasks of a hospital. A hospital must therefore appoint a DPO.
- A company in construction materials that secures its outside area with the aid of its own video-surveillance system actually does deal with monitoring persons, but this is not its core activity and most likely not done on a large-scale. Therefore there is no obligation to appoint a DPO.
- The core task of a security company that at the instruction of several shopping centres supervises their public areas with the aid of cameras is actually the monitoring of persons and it does so on a large-scale. Such a company must appoint a DPO.
The same applies to online-marketing companies which for the benefit of their customers analyse and keep records of the surfing behaviour of their visitors.
What is the task of a DPO?
The task of a DPO is to inform his ‘boss’ and, asked or unasked for, to advise him about the obligations the company has pursuant to the GPDR. He must also control the compliance, even though he cannot impose any sanctions. He is in fact an internal advisor as well as supervisor. For that reason he must have an independent position. The management therefore may not provide guidance to the DPO’s performance of his task and particularly not to his judgement of privacy matters.
The DPO moreover is the contact person if it is about privacy. ‘Extern’ means that not only the data subjects (those to whom the personal data apply) but also the Data Protection Authority (DPA) will turn primarily to the DPO. Therefore it is essential that the DPO can be easily found and is easily accessible at all times.
Another task of the DPO is to cooperate with the supervisor.
In practice the DPO will most likely be the person who carries out or coordinates the data mapping and who draws up and keeps the data processing register (in the following blog this item will be dealt with in more detail).
His extensive range of tasks does not mean that the DPO is personally responsible if the company does not comply with the GDPR. The company is and shall remain the responsible entity. It is also the responsibility of the company that the DPO is involved properly and in due time in all issues in which protection of personal data plays a part.
Who can be appointed as DPO?
Only natural persons can be appointed as DPO.
First of all a DPO must be a person who has expertise in the field of privacy regulations, data processing and security. Apart from that he must have an in-depth knowledge of manner in which the company is organized and of all its data streams and processing. A DPO must also be given the facilities to obtain and maintain the required knowledge and expertise.
The more sensitive the personal data that are processed and the larger the data and the processing thereof, the more expertise a DPO must have.
A DPO can be employed by the company, but he may not have ‘conflicting interests’ or determine the purpose and the means of data processing. A position for example in the management team for example cannot generally be combined with the function of DPO. If a DPO is employed with a company he enjoys a similar protection as the members of the Works Council, It could be said, slightly exaggerated: he cannot be given notice for the mere reason that his advice, critical or non-critical, and his opinion are not appreciated.
On the basis of a service agreement an external person could also be appointed as DPO. This person could be DPO for more than one company or institution, as long as he has the ability to properly know each one of those companies or institutions and to thoroughly understand and keep the processes therein and to remain easily accessible for all of them.
Formal position DPO
The function of the DPO is a formal position. The name and contact data of the DPO must be provided to the DPA. The contact data must also be mentioned in the privacy statement of a company.
Voluntary appointment of a DPO or of a privacy officer?
A company which has no obligation to appoint a DPO may choose to appoint a DPO voluntarily. If a company makes that choice all statutory rules regarding the DPO also fully apply to this company!
A company which has no obligation to appoint a DPO may also choose to appoint a ‘privacy officer’ who does not have the formal position of a DPO. Therefore this person is not notified to the DPA as being the DPO and does not enjoy legal protection, whereas to quite a large degree he does carry out similar tasks.
Note that within the scope of the accountability which plays a major role it is advisable and important for each company to charge one competent person with the internal monitoring of and advising on the privacy protection, a person who is easily accessible internally and externally and who can be the contact point in the event of complaints, problems, questions et cetera.