For many EU Member States, the EU General Data Protection Regulation (GDPR) introduces a new role, i.e. the data protection officer (DPO), who (among other tasks) is responsible for monitoring the organisation´s compliance with data protection laws, informing and advising on its data protection obligations and acting as a contact point for data subjects and the relevant national supervisory authorities.
In this regard, one of the most urgent questions companies need to answer is whether they have to appoint a DPO or not.
Rules for the mandatory appointment of a DPO
According to Article 37 GDPR, you must appoint a data protection officer in when:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Any organisation that is a public authority or a public body must appoint a DPO. However, the GDPR does not define the term ‘public authority or body’ and leaves it up to each EU Member State to determine which organisations are public authorities and public bodies.
Other than the courts (when acting in their judicial capacity), this rule does not apply to public entities that do not require the processing of personal data to develop their activities. If the processing of personal data is required, even for secondary or auxiliary activities of the public bodies, a DPO is to be appointed.
The core activities of the controller or processor consist of processing operations, which (by virtue of their nature, their scope and/or their purposes) require regular and systematic monitoring of data subjects on a large scale.
Compared to public entities, private companies are required to process personal data as part of their core activities. In other words, if the principal activities are not related to data processing, data processing should be considered auxiliary activities.
A specific example would be the processing of health data by a hospital as an operation that is necessary to achieve the hospital’s main objectives. For that reason, all hospitals probably need to appoint DPOs.
Other key elements provided by the GDPR are: ‘regular and systematic monitoring’ and on a ‘large scale’. Although the GDPR does not define these terms, Article 29 Working Party (now replaced by the European Data Protection Board, EDPB) provides some guidance on these terms.
The first requirement includes all forms of tracking and profiling, both online and offline, e.g., where the purpose is behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
- the number of data subjects,
- the volume of personal data being processed,
- the range of different data items being processed,
- the geographical extent of the activity and
- the duration of the processing activity.
Example: A large retail website uses algorithms to monitor the searches and purchases of its users and, based on this information, it offers recommendations to them. As this takes place continuously and according to predefined criteria, it can be considered regular and systematic monitoring of data subjects on a large scale.
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (such as personal information on health, religion, race or sexual orientation) and personal data relating to criminal convictions and offences referred to in Article 10.
Processing special category data or criminal conviction or offences data carries more risk than other personal data. Therefore, when you process this type of data on a large scale, you are required to appoint a DPO.
Example: A health insurance company processes a wide range of personal data about a large number of individuals, including medical conditions and other health information. This can be considered processing special category data on a large scale.
However, the legal norm to appoint a DPO is one of the many opening clauses of the GDPR, allowing Member States to create additional requirements. Therefore, Member States are free to decide whether a company has to appoint a DPO under stricter requirements (for example, Section 38 of the German Federal Data Protection Act).
Reasons for appointing a DPO if it is not legally mandated
If the above-mentioned reasons for the mandatory appointment of a DPO are not applicable to your company, or if you are not sure, you should consider the following arguments for an optional appointment:
- With a DPO, you’ll have someone who actually understands the details of data protection law and can understand how to apply it. This will save not only time and money but also prevent costly mistakes and possible fines.
- A DPO can advise you on how to carry out a data protection impact assessment (DPIA), which will ultimately protect your organization from the threat of GDPR fines.
- Having a DPO who understands the lines of communication and when to enact them will help your company traverse a highly managed and legal process in the case of a data breach. It could save you a massive fine.
- Utilising the services of a DPO who is also a privacy professional and expert in compliance issues can solidify your understanding of data privacy and best practices with regard to individual data protection.
- A DPO can help work out where and how the variety of data protection laws may impact your business.
Note: A group of companies may share a single data protection officer provided that the data protection officer is easily accessible from each establishment. In the case of a public authority or body as the controller or processor, a single data protection officer may be appointed for several authorities or bodies, considering their organisational structure and size.