The General Data Protection Regulation (GDPR) specifies when an enterprise needs to appoint a data protection officer (DPO). This officer acts as the first contact in all data security issues.
Under Article 37 GDPR, controllers and processors shall designate a data protection officer when their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or processing is carried out of special categories of data ("sensitive data") or personal data relating to criminal convictions and offences.
The obligation to appoint a DPO applies without regard to the company's size or number of staff. A group of undertakings may appoint a single data protection officer provided that such person is easily accessible from each establishment.
Violations of the obligation to designate a DPO are punishable by a fine of up to EUR 10m or 2% of the enterprise's total global annual turnover.
Tasks of the DPO
The foremost task of a DPO is to act as an internal advisor and supervisor. Specifically, the DPO needs to inform and advise the controller or the processor and their employees of their obligations under the GDPR and national data protection regulations and to monitor compliance with such provisions. The DPO is, moreover, assigned an advisory and monitoring function as regards the data protection impact assessment. As an internal contact point, the DPO is required to cooperate with the supervisory authority.
Independent and not subject to instructions
According to Article 38 GDPR, enterprises must ensure that the DPO is involved in all issues which relate to the protection of personal data and must support the DPO in performing his or her tasks. In particular, they must make sure that the DPO does not receive any instructions regarding the exercise of those tasks; he or she must be able to perform his or her duties and tasks in complete independence.
Avoidance of conflicts of interests
The DPO may be a staff member of the enterprise or an external DPO working on the basis of a service contract. If the DPO is an employee of the enterprise who is required to perform other tasks and duties in addition to his or her function of DPO, the two spheres and resultant rights and duties must be separated. Although the DPO does not receive any instructions in performing his or her tasks as DPO, he or she is subject to the employer's instructions for his or her other tasks same as any other employee.
In such cases, controllers and processors must make sure to avoid any conflict of interests. Accordingly, a DPO must not be charged with any task or duty that could lead to a conflict of interests. This includes in particular positions that involve determining the purpose and means of processing personal data. Thus, a conflict of interests may arise when the DPO should have to monitor him- or herself. This would be the case if he or she were to run the IT, marketing or human resources department. Acting as the manager would also be incompatible with the responsibility under the GDPR to report directly to the highest management level. Enterprises are therefore recommended to develop internal guidelines to avoid conflicts of interests when appointing a DPO.
Voluntary assignment of a DPO
Enterprises are free to assign a DPO even if there is no such obligation under the GDPR. Such a voluntary appointment is recommended specifically when it is not entirely clear whether it is obligatory. It should, however, be noted that DPOs who are voluntarily appointed have the same rights and duties as those that are mandatorily appointed.
Neither the GDPR nor the Austrian Data Protection Act (DSG) has any provision regarding a minimum term of office for a DPO. Whereas employees can be given notice at any time without any grounds, a DPO under the GDPR must "not be dismissed or penalised for performing his tasks". It remains to be seen how this conflict will be resolved in actual practice. Nevertheless, the DPO will not enjoy the same protection against firing that is accorded to members of a works council, so that his or her dismissal will not require any judicial consent. Gross dereliction of duty, which constitutes grounds for dismissal, justifies his or her removal from the office of DPO. Limiting the period of appointment is permissible and recommended.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.