Under Regulation (EC) 2016/679 [the GDPR], it is mandatory for certain controllers and processors to designate a DPO. The DPO is the cornerstone of the system of accountability established by the GDPR (p. 4 of the ART29WP Guidelines).
The relevant provisions for DPOs are set out in the following legal texts:
- Recital 97 of the GDPR
- Articles 37-39 of the GDPR.
- Art29 WP Guidelines on DPOs.
Controller / Processor Obligations to Designate a DPO
In the public sector, a public authority is always obliged to designate a data protection officer. The appointment of a DPO is also mandatory for public authorities, which are competent for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties . Even private organisations carrying out public tasks or exercising public authority should, as a good practice, designate a DPO (p. 6 of the ART29WP Guidelines).
In the private sector, a data controller or processor is obliged to designate a data protection officer, only when data processing activities relate to its primary, not ancillary, activities (recital 97 of the GDPR, p. 4 of the ART29WP Guidelines).
In particular, under the GDPR the data controller and the data processor have the statutory obligation to designate a data protection officer in any case where (article 37 § 1 of the GDPR) :
- Public Authorities – The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- Regular and Systematic Monitoring of Data Subjects – The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- Sensitive Data on a Large Scale – The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
“Core activities” can be considered as the key operations necessary to achieve the controller’s or processor’s goals. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs. On the other hand, all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity (p. 7 of the ART29WP Guidelines).
Large-scale processing operations aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk. Nevertheless, the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer (recital 91 of the GDPR). The following factors should, in particular, be considered when determining whether the processing is carried out on a large scale: (i) The number of data subjects concerned – either as a specific number or as a proportion of the relevant population; (ii) The volume of data and/or the range of different data items being processed; (ii) The duration, or permanence, of the data processing activity; (iii) The geographical extent of the processing activity. Examples of large-scale processing include: (a) processing of patient data in the regular course of business by a hospital; (b) processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); (c) processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services; (d) processing of customer data in the regular course of business by an insurance company or a bank; (e) processing of personal data for behavioural advertising by a search engine; (f) processing of data (content, traffic, location) by telephone or internet service providers. Examples that do not constitute large-scale processing include: (1) processing of patient data by an individual physician; (2) processing of personal data relating to criminal convictions and offences by an individual lawyer (p. 7-8 of the ART29WP Guidelines).
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes (recital 24 of the GDPR). Thus, the concept of ‘monitoring of the behaviour of data subjects’ includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc (p. 8-9 of the ART29WP Guidelines).
Depending on who fulfils the criteria on mandatory designation, in some cases only the controller or only the processor, in other cases both the controller and its processor are required to appoint a DPO (who should then cooperate with each other). It is important to highlight that even if the controller fulfils the criteria for mandatory designation its processor is not necessarily required to appoint a DPO. This may, however, be a good practice. (p. 9 of the ART29WP Guidelines).
Even in cases in which the designation of a DPO is not obligatory, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. In case of such designation, the data protection officer may act for such associations and other bodies representing controllers or processors (article 37 § 4 of the GDPR, p. 4 of the ART29WP Guidelines).
In any case that an organisation does not designate a DPO and the lawfulness of such omission is obvious under the GDPR, controllers and processors are recommended to document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly (p. 5 of the ART29WP Guidelines). Organisations without a DPO should make clear, in any communications within the company, as well as with data protection authorities, data subjects, and the public at large, that the title of any individuals or consultants sending such communications on behalf of the organisation is not a data protection officer (DPO) (p. 6 of the ART29WP Guidelines).
Other Controller / Processor Obligations in Regard to the DPO
The controller or the processor shall have the following obligations in regard to the DPO:
- Contact Details – Publish the contact details of the data protection officer and communicate them to the supervisory authority (article 37 § 7 of the GDPR). Data subjects (both inside and outside of the organisation) and the supervisory authorities should easily and directly contact the DPO without having to contact another part of the organisation (p. 12 of the ART29WP Guidelines). The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website. It is not required that the published contact details include the name of the DPO (p. 12 of the ART29WP Guidelines).
- Involvement – Ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data (article 38 § 1 of the GDPR). The DPO, or his/her team, should be involved from the earliest stage possible in all issues relating to data protection. In this context, the DPO is recommended to be invited to participate regularly in meetings of senior and middle management. His or her presence is also recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice. The opinion of the DPO must always be given due weight. In case of disagreement, it is recommended, as good practice, that the data controller or processor documents the reasons for not following the DPO’s advice. In any case, the DPO must be promptly consulted once a data breach or another incident has occurred. (p. 13-14 of the ART29WP Guidelines).
- Support with Necessary Resources – Support the data protection officer in performing its tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge (article 38 § 2 of the GDPR). DPOs must be given sufficient autonomy and resources to carry out their tasks effectively (p. 5 of the ART29WP Guidelines). The provision of necessary resources to the DPO include the following : (i) Active support of the DPO’s function by senior management (such as at board level); (ii) Sufficient time for DPOs to fulfil their duties; (iii) Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate; (iv) Official communication of the designation of the DPO to all staff to ensure that their existence and function are known within the organisation; (v) Necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input and information from those other services; (vi) Continuous training; (vii) Setting up a DPO team (a DPO and his/her staff), if this is necessary given the size and structure of the organization. In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO. (p. 14 of the ART29WP Guidelines).
- Independence – Ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks (article 38 § 3 of the GDPR). The DPO, whether or not he or she is an employee of the controller, should be in a position to perform his or her duties and tasks in an independent manner (recital 97 of the GDPR). Hence, no unfair termination of service contract for activities as DPO but also no unfair dismissal of any individual member of the organisation carrying out the DPO tasks is allowed (p. 12 of the ART29WP Guidelines). DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law (p. 15 of the ART29WP Guidelines).
- Highest Level Reporting – The data protection officer shall directly report to the highest management level of the controller or the processor (article 38 § 3 of the GDPR).
- Lack of any Conflict of Interests – Ensure that any such tasks and duties do not result in a conflict of interests (article 38 § 6 of the GDPR).
The controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions (p. 15 of the ART29WP Guidelines).
A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment (article 37 § 2 of the GDPR). Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size (article 37 § 3 of the GDPR).
A group of undertakings is allowed to designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The DPO, with the help of a team if necessary, must also be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned (p. 10 of the ART29WP Guidelines).
To ensure that the DPO is accessible, it is recommended that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union (p. 10 of the ART29WP Guidelines).
The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract (article 37 § 6 of the GDPR).
The data protection officer may fulfil other tasks and duties apart from its role as DPO of the relevant organization (article 38 § 6 of the GDPR).
The DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation. When the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR. It is recommended to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and person ‘in charge’ of the client (p. 22 of the ART29WP Guidelines).
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil its tasks, as stipulated under the law (article 37 § 5 of the GDPR).
The designated DPO should at least have the following skills :
- Knowledge of Data Protection Laws – The data protection officer is a person with expert knowledge of data protection law and practices, who assists the controller or processor to monitor internal compliance with the GDPR (recital 97 of the GDPR). In particular, DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR (p. 23 of the ART29WP Guidelines).
- Knowledge of the Business Sector and the Organization – Knowledge of the business sector and of the organisation of the controller is useful (pp. 11 and 23 of the ART29WP Guidelines).
Knowledge of the Processing Operations Carried Out – The DPO should also have a good understanding of the processing operations carried out (pp. 11 and 23 of the ART29WP Guidelines).
- Knowledge of the Controller’s Information Systems – The DPO should also have a good understanding of the information systems, and data security and data protection needs of the controller (pp. 11 and 23 of the ART29WP Guidelines).
- Knowledge of the Public Body’s Administrative Rules – In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation (p. 11 of the ART29WP Guidelines).
- Ability to Promote a Data Protection Culture within the Organization (p. 23 of the ART29WP Guidelines).
- Adequate Level of Expertise – The necessary level of the DPO’s expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor (recital 97 of the GDPR). The required level of expertise must be commensurate with the sensitivity, complexity and amount of data an organisation processes. Where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the level of expertise of the DPO should be high (p. 11 of the ART29WP Guidelines).
- Personal Qualities – The DPO should fulfil his or her tasks with integrity and high professional ethics (p. 12 of the ART29WP Guidelines).
The controller should clearly outline both in the DPO’s contract and in information provided to employees, management and other stakeholders, where relevant, the precise tasks of the DPO and their scope, in particular with respect to carrying out the DPIA (p. 18 of the ART29WP Guidelines).
DPOs and Conflict of Interests
The data controller or processor is obliged to ensure that any tasks and duties of the DPO do not result in a conflict of interests (article 38 § 6 of the GDPR). The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Hence, even though DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests (p. 16 of the ART29WP Guidelines).
A position within the organisation should be evaluated regarding the possibility of a conflict of interests with the role of the DPO, in case that it fullfils one or more of the following characteristics (p. 16 of the ART29WP Guidelines) :
- Managerial role at a senior level.
- Decision making power regarding the purposes and the means of the processing of personal data.
Conflicting positions with the position of the DPO within the organisation as a rule include the following senior management positions (p. 16 of the ART29WP Guidelines) :
- Chief executive officer;
- Chief operating officer;
- Chief financial officer;
- Chief medical officer;
- Head of marketing department;
- Head of Human Resources;
- Head of IT departments;
In addition, other roles lower down in the organisational structure may result in a conflict of interests, if such positions or roles lead to the determination of purposes and means of processing (p. 16 of the ART29WP Guidelines).
If the function of the DPO is exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organisation, it is essential that each member of the organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR, e.g. no member of the relevant organisation has a conflict of interests (p. 5 of the ART29WP Guidelines).
It has to be taken into account that a conflict of interests may arise if, for example, an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues (p. 16 of the ART29WP Guidelines).
In case that the tasks of the DPO are exercised on the basis of a service contract, for the sake of legal clarity and good organisation and to prevent conflicts of interests for the team members, it is recommended to have a clear allocation of tasks within the DPO team and to assign a single individual as a lead contact and person ‘in charge’ for each client. It would generally also be useful to specify these points in the service contract (p. 12 of the ART29WP Guidelines).
Tasks and Obligations of the DPO
The data protection officer shall have at least the following tasks (article 39 § 1 of the GDPR) :
- Advice – To inform and advise the controller or the processor and the employees who carry out processing of their obligations according to the GDPR and other applicable data protection EU and member-state laws;
- Compliance – To monitor compliance with the GDPR, other applicable data protection EU and member-state laws and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; DPOs may, in particular, (i) collect information to identify processing activities, (ii) analyse and check the compliance of processing activities, and (iii) inform, advise and issue recommendations to the controller or the processor (p. 17 of the ART29WP Guidelines).
- DPIAs – To provide advice where requested as regards data protection impact assessments and monitor their performance; In particular, the controller should seek the advice of the DPO, on the following issues, amongst others : (i) whether or not to carry out a DPIA; (ii) what methodology to follow when carrying out a DPIA; (iii) whether to carry out the DPIA in-house or whether to outsource it; (iv) what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects; (v) whether or not the data protection impact assessment has been correctly carried out; and (vi) whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR. If the controller disagrees with the advice provided by the DPO, the DPIA documentation should specifically justify in writing why the advice has not been taken into account (p. 17 of the ART29WP Guidelines).
- Cooperation with the DPA – To cooperate with the supervisory authority;
- Contact Person for the DPA – To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation in relation to DPIAs, and to consult, where appropriate, with regard to any other matter. In particular, the DPO may contact, seek advice from the supervisory authority and, in general, consult the supervisory authority on any other matter, where appropriate (p. 18 of the ART29WP Guidelines).
- Contact Person for Data Subjects – Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR (article 38 § 4 of the GDPR).
- Record Keeping – Nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the record of processing operations under the responsibility of the controller or the processor. Such a record should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor (p. 20 of the ART29WP Guidelines).
Furthermore, the data protection officer shall have at least the following obligations :
- Risk Monitoring – In the performance of his or her tasks the data protection officer shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing (article 39 § 1 of the GDPR). In particular, DPOs should prioritise their activities and focus their efforts on issues that present higher data protection risks. In this context, DPOs should advise the controller what methodology to use when carrying out a DPIA, which areas should be subject to an internal or external data protection audit, which internal training activities to provide to staff or management responsible for data processing activities, and which processing operations to devote more of his or her time and resources to (p. 18 of the ART29WP Guidelines).
- Confidentiality – The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (article 38 § 5 of the GDPR). Confidentiality is important. For example, employees may be reluctant to complain to the DPO if the confidentiality of their communications is not guaranteed (p. 12 of the ART29WP Guidelines).
DPOs are not personally responsible in case of non-compliance with the GDPR. Data protection compliance is the sole responsibility of the controller or the processor (p. 4 of the ART29WP Guidelines). Monitoring of compliance does not mean that it is the DPO who is personally responsible where there is an instance of non-compliance. Data protection compliance is a corporate responsibility of the data controller, not of the DPO (p. 17 of the ART29WP Guidelines).
In relation to the designation and operation of the DPO within its organization, it is recommended that the data controller or processor :
- Outlines precisely and in detail the role, tasks and duties of the DPO in the designation contract.
- Establishes an internal process, which stipulates when and in which cases the DPO is involved in the operation of the organization.
- Ensures that the designated DPO is not in conflict of interests in the conduct of its role and provide for a reporting mechanism to monitor and prevent such cases.
- Ensures that the DPO observes the accountability of the organization to the supervisory authority by up-to-date record keeping and documenting compliance with appropriate data protection policies.
- Ensures that the DPO provides appropriate consultation in regard to the organization’s high risk processing activities.
- Ensures that the DPO reports directly to the highest level of the organization.
- Ensures that the DPO is not interfered with in the practice of his role and duties.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
Art29 WP, Guidelines on Data Protection Officers (‘DPOs’), 16/EN, WP 243 rev.01.