New DPO guidelines adopted by EU body
April 2017 | EXPERT BRIEFING | DATA PRIVACY
The new EU General Data Protection Regulation (GDPR) provides that public authorities, as well as certain private businesses, must designate a data protection officer (DPO). However, the general description provided by the GDPR as to when particularly private businesses must designate a DPO, as well as the requirements to the DPO and the dismissal protection envisaged for the DPO, give rise to a number of questions.
The so-called Article 29 Working Party, which is composed of members from the individual national data protection authorities in Europe, have now issued a number of guidelines to help answer some of those questions.
When to designate a DPO
The GDPR requires the designation of a DPO in three specific situations: (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations which require “regular and systematic monitoring of data subjects on a large scale”; or (iii) where the core activities of the controller or the processor consist of “processing on a large scale of special categories of data and personal data relating to criminal convictions and offences”.
The term “core activities” relates to the primary activities of the business necessary to achieve the controller’s or processor’s goals. As an example, the Working Party mentions that the core activity of a hospital is to provide healthcare. However, a hospital cannot provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing this data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.
On the other hand, the Working Party recognises that all organisations carry out necessary ancillary functions for the organisation’s core activity, such as paying their employees or having standard IT support activities. These are not considered “core activities”.
When determining whether the processing of personal data is carried out on a “large scale”, according to the Working Party, different factors must be considered, including the number of data subjects concerned, the volume of data and the duration of the data processing activity. As an example of large-scale processing, the Working Party mentions the processing of the travel data of individuals using a city’s public transport system.
In relation to “regular and systematic” monitoring, according to the Working Party, this would, for instance, be ongoing or occur at particular intervals for a particular period according to, for example, a system or as part of a strategy. This includes providing telecommunications services,
email retargeting, profiling and scoring for purposes of risk assessment and location tracking by mobile apps, loyalty programmes, behavioural advertising and closed circuit television, among others.
With regard to the processing of “special categories of data” and “personal data relating to criminal convictions and offences”, these are set out in articles 9 and 10 of the GDPR.
The DPO’s position
The DPO must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Thus, according to the Working Party, it is crucial that the DPO is involved, from the earliest stage possible, in all issues relating to data protection.
The Working Party recommends that an organisation ensures, among other things, that: (i) the DPO is invited to participate regularly in meetings of senior and middle management; (ii) the DPO’s presence is recommended where decisions with data protection implications are taken, all relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice; (iii) the opinion of the DPO must always be given due weight, and in case of disagreement, the Working Party recommends, as good practice, documenting the reasons for not following the DPO’s advice; and (iv) the DPO must be promptly consulted once a data breach or another incident has occurred.
The GDPR requires the organisation to support its DPO by providing resources necessary to carry out their tasks and access to personal data and processing operations, and to maintain the DPO’s expert knowledge. According to the Working Party, this includes active support of the DPO’s function by senior management (such as at board level), sufficient time for DPOs to fulfil their duties and adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate. Also, necessary access to other services, such as human resources, legal, IT and security, among others, so that DPOs can receive essential support, input and information from those other services, as well as continuous training, would be examples of compliance with the GDPR within this field.
The GDPR also establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers and processors are required to ensure that the DPO does not receive any instructions regarding the performance of his or her tasks. According to the Working Party, this means that DPOs must not be instructed in how to deal with a matter, such as what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority.
According to the GDPR, DPOs should not be dismissed or penalised by the controller or the processor for performing their tasks. Also, according to the Working Party, penalties may take a variety of forms and may be direct or indirect, such as absence or delay of promotion, prevention from career advancement or elimination of benefits that other employees receive. It is not a requirement that such penalties are actually carried out, a mere threat is sufficient, as long as the measures are used to penalise the DPO on grounds related to his or her DPO activities.
However, the Working Party stresses that subject to the applicable national contract or labour law, a DPO can still be dismissed legitimately for reasons other than for performing his or her tasks as the DPO.
Tasks of the DPO
The DPO must, among other duties, assist the controller or the processor with monitoring internal compliance with the GDPR. The Working Party stresses that this does not mean that the DPO is personally responsible in case of non-compliance. Thus, the GDPR makes it clear that data protection compliance is a corporate responsibility of the data controller, not of the DPO.
More specifically, the DPO would play an important part in a number of activities, including when carrying out a data protection impact assessment (DPIA), which areas should be subject to an internal or external data protection audit, which internal training activities should be provided to staff or management responsible for data processing activities and to which processing operations the DPO should devote more of his or her time and resources.
Also, according to the Working Party, the DPO would assist in maintaining the record of processing operations, including creating inventory and holding a register of processing operations, based on information provided to them by the various departments in their organisation responsible for the processing of personal data.
Difficulties finding a DPO
The new Working Party guidelines do not address the potential difficulties related to finding a suitable DPO.
Thus, according to the GDPR, the DPO will be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices. The required level of expertise is not strictly defined but it is – also according to the Working Party – a relevant element that DPOs should have expertise in national and European data protection laws and practices, and an in-depth understanding of the GDPR. Also, knowledge of the business sector and the organisation of the controller would be useful. Further, the DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems and data security and data protection needs of the controller. Moreover, the personal qualities should include integrity and high professional ethics as the DPO plays a key role in fostering a data protection culture within the organisation and helps to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and default, records of processing activities, security of processing and notification and communication of data breaches.
Such qualifications are not common, and you will not find DPOs growing on trees. This might be a real problem and recent studies have shown that across Europe a minimum of 28,000 DPOs are estimated to be needed when the GDPR enters into force in May 2018.
Elsebeth Aaes-Jørgensen is a partner, Jens Harkov Hansen is a senior associate and Stina Lindberg Hansen is a junior associate at Norrbom Vinding. Ms Aaes-Jørgensen can be contacted on +45 35 25 39 79 or by email: firstname.lastname@example.org. Mr Hansen can be contacted on +45 35 25 09 41 or by email: email@example.com. Ms Hansen can be contacted on +45 35 25 39 43 or by email: firstname.lastname@example.org.
© Financier Worldwide
Elsebeth Aaes-Jørgensen, Jens Harkov Hansen and Stina Lindberg Hansen