ARTICLE
20 January 2025

Appointment Of A Data Protection Officer (DPO) As An Obligation Of The Data Controller

KB
KBZ Zuradzki Barczyk & Partners Advocates and Attorneys-at-law LP

Contributor

KBZ Żuradzka & Wspólnicy Adwokaci i Radcy Prawni Sp. K. has been active since 1991. Until 1999, the legal name of the firm was Biuro Obsługi Prawnej „IUS” S.C. It was a partnership of two legal professional (legal counsel and an advocate). It was later converted into a limited partnership (B. Żuradzka Kancelaria Prawna Sp.K.). Since July 2011, the firm has been operating under its present name. The firm’s founder and mentor is Barbara Żuradzka, a lawyer and a winner of the Golden Skills and Competence Laurel Award from the Regional Chamber of Commerce in Katowice, Poland.

Since 2004, we have been a Polish member of the international Association of Independent European Lawyers (www.aiel.com). This London-based organisation was founded in 1991 and currently has a membership of 30 law firms based in Europe and worldwide, all of them employing a few hundred lawyers in total. This allows us to offer a competitively-priced and efficiently-delivered array of legal services, such as company

Although the General Data Protection Regulation (GDPR) has been in force for over six years, many organizations have still not conducted an assessment to determine whether appointing a Data Protection Officer (DPO) is necessary.
Poland Privacy

Although the General Data Protection Regulation (GDPR) has been in force for over six years, many organizations have still not conducted an assessment to determine whether appointing a Data Protection Officer (DPO) is necessary.

Every data controller should conduct such an analysis, as ignoring this obligation may result in serious legal and organizational consequences, as indicated in a recently issued decision by the President of the Personal Data Protection Office.

When is it mandatory to appoint a data protection officer?

According to Article 37 of the GDPR, the data controller and the data processor are obligated to appoint a data protection officer if they meet at least one of the following conditions:

  • the processing is carried out by a public authority or body, with the exception of the courts in the performance of their judicial functions;

Public authorities and bodies include, among others, local government units, budgetary units, independent public healthcare institutions, and public universities. However, it should be noted that commercial companies, including limited liability companies or joint-stock companies, will not be subject to the obligation to appoint a DPO based on this condition – for them, the obligation to appoint a DPO may arise from other conditions.

  • the main activities of the data controller or data processor involve processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale;

In connection with the above, to determine whether this condition is met, it is necessary to analyze the following issues:

  1. which activity of the data controller can be considered as the "main" activity,
  2. what is meant by "large-scale processing" and
  3. what is included in the term "processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects".
  • the main activities of the data controller or data processor involve large-scale processing of special categories of personal data referred to in Article 9 of the GDPR, or personal data related to criminal convictions and offenses.

The obligation to appoint a Data Protection Officer, arising from this condition, applies to large-scale processing of special categories of personal data (e.g., health data, racial origin) and data related to criminal convictions and offenses, which are typically processed only in specific cases.
According to the guidelines of the Article 29 Working Party, meeting one of these conditions is sufficient for the obligation to appoint a DPO to be imposed, despite the use of "and" in the provision, which suggests the need to combine them.

In other cases, the appointment of a DPO is facultative. Furthermore, it is recommended that data controllers and data processors document an internal procedure to assess whether or not the appointment of a DPO has been established.

Method of the appointment of the Data Protection Officer

The Data Protection Officer may be either an employee of the data controller / data processor employed under an employment contract or may perform their duties based on a service agreement.

The President of the Personal Data Protection Office pays special attention to the form of appointing the Data Protection Officer. The appointment, whether by legal act or by contract, should be in writing for evidential purposes before the supervisory authority. Furthermore, the data controller should specify the scope of the DPO's duties in such an act.

Special attention should also be given to the obligation to publish the contact details of the DPO, including on the website of the data controller, as well as the obligation to notify the supervisory authority of the DPO's contact details.

Obligations of the data protection officer

The Data Protection Officer is responsible for informing the data controller and data processors about their obligations under data protection laws and monitoring compliance, including through conducting training and audits. The DPO's tasks also include providing recommendations regarding data protection impacts and monitoring their implementation, as well as cooperating with the supervisory authority.

Fine for not appointing a DPO and not publishing contact details

It is important to remember that failure to fulfill the obligations related to the appointment of a DPO can result in a financial fine.

In the decision of October 18th, 2024 (DKN.5131.7.2024), the President of the Personal Data Protection Office in Poland imposed an administrative fine of PLN 25,000 on an entity for failing to appoint a Data Protection Officer, failing to publish the DPO's contact details, and failing to notify the supervisory authority of those details. The authority not only emphasized the obligation to appoint a DPO but also highlighted other duties that are inextricably linked to the appointment of a DPO.

The President of the Personal Data Protection Office stated that the fine of PLN 25,000 imposed on the data controller is appropriate to the circumstances of the case and meets the conditions specified in Article 83 item 1 of regulation 2016/679. This fine was imposed in the context of the severity of the identified violation, taking into account the primary goal of the GDPR, which is the protection of the rights and freedoms of individuals, including the right to the protection of personal data.

It is worth noting that according to Article 83 of the GDPR, the maximum amount of the fine for such
a violation can be up to €10 million or 2% of the total annual turnover of the company, whichever is higher. In the case of public sector entities, the upper limit of the administrative fine has been limited to PLN 100,000.

If you need assistance in fulfilling the obligation to appoint a data protection officer or if you have doubts about whether this obligation applies to you, we encourage you to contact our specialists.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More