For many organisations, the appointment of a DPO has become mandatory. Although Articles 37 to 39 of the GDPR make provisions for the designation, position and tasks of a DPO, somee misconceptions still exist about who needs one, who can be one and what kind of tasks a DPO can undertake.
Who is a DPO?
According to GDPR Art. 39, the data protection officer is responsible for:
- advising the controller or processor about their obligations under the GDPR and monitoring compliance with the same;
- awareness-raising and training of staff involved in processing operations and related audits;
- cooperating with, and acting as contact point for the supervisory authority on issues relating to processing.
According to article 38.3 of the GDPR, the DPO shall report directly to the top management of the controller or processor. Article 38.3 further states that the DPO must not receive instructions from the controller or processor regarding the exercise of its statutory tasks. The DPO shall not be dismissed or penalised for performing its tasks.
Based on the foregoing, a DPO is an independent officer reporting to top-level management of an organisation and responsible for monitoring compliance with, and advising on applicable data protection laws within that organisation.
A DPO can either be a qualified individual or an organisation. According to article 37.6 of the GDPR, a DPO may fulfil its tasks on the basis of a service contract. The Article 29 Working Party (WP29) further explains that a service contract may be concluded with an organisation for DPO services. In this case, individual skills can be combined so that several individuals, working in a team, may efficiently serve their clients. Such organisations offer DPO as a service.
Does my organisation need a data protection officer?
The office of the DPO is a statutory creation. Having looked at its tasks, you might ask- do I need one? Article 37 of the GDPR states that controllers and processors shall designate a DPO. Interestingly, it provides instances where a DPO must be appointed, but not where it is not necessary to do so. According to article 37 GDPR, appointment is necessary where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
However, GDPR Article 37.4 states that in all other instances, a organisation may voluntarily appoint a DPO or do so if required by member state law.
Section 38 of the German Federal Data Protection Act (BDSG) provides that the controller and processor shall designate a data protection officer if:
- they constantly employ, as a rule, at least 20 persons dealing with the automated processing of personal data;
- the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679;
- they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, […] regardless of the number of persons employed in the processing.
Misconception:
Every German business needs to appoint a DPO.
Clarification
Under the BDSG in Germany, your business must appoint a DPO if it:
- employs at least 20 persons;
- carries out the automated processing of personal data or processing subject to a data protection impact assessment;
- commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research.
Under the GDPR, organisations need to appoint a DPO if:
- they are a public authority or body, except for courts acting in judicial capacities;
- their core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale;
- their core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions and offences.
Can I appoint an employee within my organisation as DPO?
Misconception
Anyone with the relevant knowledge within my organisation can be its DPO.
Clarification
According to article 37.6 of the GDPR, the DPO may be a staff of the controller or processor. A DPO may also fulfill the task on the basis of a service contract. However, article 38.6 states that an organisation must ensure that the duties of its DPO do not result in a conflict of interests. Article 38.3 states that the DPO shall:
- not receive instructions regarding the exercise of its tasks;
- not be dismissed or penalised for performing its tasks;
- directly report to the highest management level.
Conflict of interest
A conflict can arise where, the DPO also determines the means and purposes of the processing of personal data. For instance; a Chief Information Security Officer will often implement measures to secure data, eg. establishing access controls. Steps taken towards securing data can also qualify as processing e.g. the pseudonymisation and encryption of data. Therefore, it would create a conflict of interest where the Officer determines the means of processing, and as DPO, also has to reach a conclusion that the means of processing is non-compliant with the GDPR.
In September, 2022, the Berlin Supervisory authority issued a fine of €525,000 to an e-commerce company. An employee in a managerial position was appointed as DPO. The company appointed a data protection officer who was to independently monitor decisions he had taken in a different capacity. The Authority stated that a data protection officer cannot both monitor compliance with data protection law and co-decide about it. Such self-regulation contradicts the independent function of a DPO supposed to be responsible for data protection compliance within the company.
The WP29 in its Guidelines on Data Protection Officers (DPOs) states that ‘… conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’.
Measures to avoid DPO conflict of interest within an organisation
Controllers and processors can put measures in place to avoid conflict of interest when appointing an internal DPO. The WP29 provides a list of measures in its Guidelines on DPOs; however, the list is not exhaustive. Organisations should continue to avoid conflicts of interest by any means necessary. The measures offered by the WP are that organisations should:
- identify the positions which would be incompatible with the function of DPO;
- draw up internal rules to this effect in order to avoid conflicts of interests. Drawing up rules helps management stick by them;
- include a more general explanation about conflicts of interests
- declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement;
- include safeguards in the internal rules of the organisation and ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed […]. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
Summary
The GDPR specifically provides for the office, appointment, position, tasks and duties of a DPO. Whether or not you need one will depend on factors stated in the GDPR. It will also depend on the respective applicable national data protection laws. When appointing an employee as your DPO, it is also important to assess the possibility of a conflict of interests. Internal DPOs are more prone to conflict of interests since they are saddled with other tasks in the organisation. Organisations should be mindful of how tasks will prove incompatible with the independent oversight of the DPO.
No specific section of the GDPR deals with the liabilities of a DPO around ensuring compliance. This is because controllers and processors are liable for non-compliance at all times. Understandably, an officer who is able to execute their tasks without fear is more likely to act independently. In addition, because DPOs do not make management decisions or determine the means and purposes of processing, they could not possibly be liable for those decisions. According to the Guidelines of WP29, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).
If you would rather appoint an external DPO or need help in determining whether to appoint one, contact us for a tailored assessment.