Compliance

Should my company appoint a DPO?

Under certain conditions, the GDPR obliges companies to appoint a DPO. DPO stands for “data protection officer”. The primary role of a DPO is to ensure that your company processes personal data of your staff, customers, providers or any other individuals in compliance with the applicable data protection rules. In light thereof, a DPO should assists your company to monitor data protection compliance, provide information and advice on your data protection obligations and act as a direct contact point for individuals with regard to all issues related to processing of their personal data and the exercise of their rights under the GDPR, as well as a contact point for the competent Data Protection Authority. As the DPO forms an integral part of the organisation, it is ideally placed to guarantee data protection compliance.

 

Should my company appoint a DPO?

There are four situations in which a DPO must be appointed:

  1. Public authority/body
    Where the processing is carried out by a public authority or body.

  2. Regular and systematic monitoring
    Where the core activities of your company (or of your processor) consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of individuals on a large scale.
    Monitoring includes all forms of tracking and profiling online and offline, e.g. email retargeting, behavioural advertising, CCTV, location tracking, etc

  3. Special categories or criminal convictions and offences
    Where the core activities of your company (or of your processor) consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
    Processing is large scale when a wide range or large volume of personal data are involved, where it occurs over a large geographical area, where a large number of individuals are affected, or where it is extensive or has long-lasting effects.

  4. Member State & Union law
    Where required by Union or Member State law (of the state in which you are processing personal data).

Do not forget to check other EU law and the national law of the state in which you are processing personal data as they might have specific rules in place regarding the assignment of a DPO.

 

Important to note is that, even in case your company is not obliged to designate a DPO under the aforementioned criteria, you are still entitled to do so on voluntary basis.

How to appoint a DPO? 

The DPO may either be a staff member of your company (or of your processor) appointed within the company, or you can outsource the position by means of a service contract with an individual or an organisation outside of the company.

Before appointing your DPO, you need to check whether the candidate has the necessary (professional) qualifications. All the statutory requirements, tasks and duties listed below should be fulfilled irrespective of whether the DPO is appointed internally or externally and on a mandatory or voluntary basis.

 

1. Independence

Important is that the DPO should be able to perform its duties independently. This means that you should refrain from providing instructions regarding the exercise of the DPO’s tasks, as well as from dismissing or penalising the DPO for performing his tasks. Contracts concluded with the DPO should contain appropriate terms to avoid vulnerability of DPO: no unfair termination terms, contractual sanctions, other direct or indirect instruments that may affect independence of DPO.

2. Data protection expert

 

When choosing your DPO, assess whether the candidate has expert knowledge of data protection law and practices, as well as the ability to fulfil DPO tasks. Knowledge in the relevant business sector and the functioning of the organisation represented by the DPO should also be taken into account.

 

3. Adequate resources

You must provide adequate resources to enable the DPO to meet its GDPR obligations and to maintain its expert level of knowledge. This concerns not only financial resources, but also time, infrastructure, staff and support through other services (e.g. HR and IT).[1]

 

4. No conflict of interest

It is not prohibited to combine the position of DPO with another position but all risks of conflict of interests should be assessed and mitigated on a case by case basis.

 

Example:

            A company’s head of the IT department monitors all user accounts and controls the right             of access to the IT infrastructure possessing rights of remote access to users' device. The             same person should not hold the position of DPO because a DPO should monitor whether             the head of IT's activities of processing users’ data are compatible with GDPR             requirements which likely results in a conflict of interest in case one person holds both             positions mentioned above.

5. Secrecy or confidentially

The DPO should not disclose any information relating to the performance of his or her tasks, except for two situations:

  • The obligation to directly report on the fulfilment of the tasks agreed upon to the highest management level of your company

 

  • Requests for information by the competent data protection authority or any other public authority or body in accordance with EU or national law. 

 

! It is allowed to appoint more than one DPO for your company, as well as to appoint one single DPO for several companies depending on their organisational structure and size (e.g. a group of companies, several public authorities of the same sector or associations)!

! Note that the DPO is not responsible for the duty to ensure compliance with privacy and data protection laws, it remains mainly your company’s duty!

 

Time for action

 

  • In case of any doubts concerning the necessity to appoint a DPO, it is recommended to appoint a DPO.

  • Check national law before appointing a DPO or deciding not to do so, as additional requirements potentially exist regarding the procedure of designation or notification.

  • Best appoint an external DPO (e.g. a consultant or a lawyer) to avoid conflicts of interest.

  • Do not forget to make the contact details of the DPO publicly available (e.g. on your website) and communicate them to the competent Data Protection Authority.

  • Ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

  • Give the DPO appropriate access to personal data, processing activities and other services within the company so that he or she can receive essential support, input or information.

  • In case you decide not to follow the DPO’s advice, document the reasons justifying this decision.

Further reading

ICO Guide to the General Data Protection Regulation (GDPR) on Data Protection Officers p.p.195.

The UK Data Protection Authority has designed a useful tool to help you decide whether or not you should appoint a DPO. You can consult the tool here: https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/.