Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority.
The GDPR does not specify the credentials a DPO must have. However, the WP29 (Article 29 Working Party) published guidelines, which have been adopted by its successor, the EDPB, defining minimum requirements regarding the DPO's expertise and skills:
- Level of expertise – understanding how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expert knowledge of data protection law and practices the DPO will need.
- Professional qualities – DPOs do not need to be qualified lawyers. Still, they must have expertise in national and European data protection law, including in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.
Data Protection Officer Roles & Responsibilities
Articles 37–39 of the GDPR set out its DPO-related requirements:
- When one must be appointed (Article 37);
- The nature of their position in the organisation (Article 38); and
- The tasks they must carry out (Article 39).
Infringements of articles 37–39 leave organisations open to the GDPR's lower level of administrative fines: up to 2% of annual global turnover or €10 million, so it's essential to meet your DPO obligations correctly and in full.
The DPO's Tasks
The DPO reports directly to "the highest management level" in the organisation and has the following tasks under the GDPR:
- Informing and advising the organisation and its employees of their data protection obligations.
- Monitoring the organisation's compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advising on whether a DPIA is necessary, how to conduct one and expected outcomes.
- Serving as the contact point for the relevant supervisory authority on all data protection issues, including data breach reporting.
- Serving as the contact point for data subjects on privacy matters, including DSARs (data subject access requests).
Who needs to appoint a DPO?
Under Article 37(1) of the GDPR, the requirement to appoint a data protection officer is mandatory under three circumstances:
- The organisation is a public authority or body.
- The organisation's core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- The organisation's core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
Therefore, in order to be able to assess whether a Company is obliged to appoint a DPO, it is necessary for to examine this provision further. This warrants a further analysis as to whether the 'core activities' of the Company consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require 'regular and systematic monitoring of data subjects on a large scale'.
What is meant by 'core activities'?
Article 37(1) (b) of the GDPR refers to the 'core activities of the controller or processor'. In order to reach a positive determination that the Company is required to appoint a DPO, the core activities of the Company must relate to the primary activities of the Company and do not relate to the processing of personal data as ancillary activities of the Company. However, 'core activities' should not be interpreted as excluding activities where the processing of data forms an inextricable part of the Company's activity.
What is meant by 'large scale'?
Additionally, Article 37(1)(b) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes largescale processing, though recital 91 provides some guidance. According to the recital, 'large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk' would be included, in particular. On the other hand, the recital specifically provides that 'the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer'. It is important to consider that while the recital provides examples at the extremes of the scale (processing by an individual physician versus processing of data of a whole country or across Europe); there is a large grey zone in between these extremes. In addition, it should be borne in mind that this recital refers to data protection impact assessments. This implies that some elements might be specific to that context and do not necessarily apply to the designation of DPOs in the exact same way.
What are the legal requirements for the DPO role?
- Independence
The GDPR requires that the DPO operate independently and without instruction from their employer over how they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.
- No conflicts of interest
Although the GDPR allows DPOs to "fulfil other tasks and duties", organisations must ensure that these do not result in a "conflict of interests" with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g., CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).
How can CSB Group help?
Over the past years we have carried out several GDPR audits and training sessions for our diverse portfolio of clients and we are continuously assisting clients with their various obligations in terms of data protection law.
Service offering:
- Comprehensive legal advisory services
- Assisting companies adhere to their obligations in terms of the GDPR
- Training DPOs and other staff members
- Offering outsourced DPO function
- Drafting of data protection policies and data processing agreements
- Legal representation in the event of IDPC investigation
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.