Data protection officers (“DPO”) will become key figures within organisations striving to ensure compliance with the stricter requirements of the GDPR as from May 2018. In the end of 2016, a conservative estimate by the International Association of Privacy Professionals suggested that 75,000 DPO positions will be created globally in response to the adoption of the GDPR. Year before the GDPR’s entry into effect, you may want to consider if your company will be required to appoint a DPO.
What is a DPO?
A DPO is a person “with expert knowledge of data protection law and practices” whose primary function is to assist the controller (or processor) in achieving compliance with the GDPR. Article 39 of the GDPR specifies the minimum amount of tasks each DPO must perform:
- advise the controller or the processor and their employees of their obligations with respect to data protection. Since the GDPR is yet to be applied throughout the EU, a DPO must stay up-to-date with any trends in the implementation of the Regulation by the relevant national supervisory authorities where his company operates;
- monitor compliance with the GDPR – a DPO should assess the internal processing activities of the controller, analyse their conformity with the GDPR and provide recommendations, if necessary;
- advise where requested on data protection impact assessments (“DPIAs”) and monitor their performance – companies are required to perform DPIAs before introducing new processing activities which are likely to result in a high risk to the rights and freedoms of natural persons;
- cooperate with the supervisory authority (e.g. the Bulgarian Personal Data Protection Commission) and act as a point of contact with both regulators and data subjects – the DPO may act as the company’s representative in case of inspections by the supervisory authority or inquiries by data subjects with regard to any issues related to processing of their personal data and to the exercise of their rights under the GDPR;
The DPO is not personally liable for ensuring compliance with the data protection rules within a company. The GDPR explicitly states that it is the controller or processor who must demonstrate conformity with the Regulation.
Position of the DPO within the company
Companies may appoint DPOs either in-house as employees or as external counsels (i.e. based on a service contract). The controller and the processor must ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. If additional tasks and duties are fulfilled by the DPO, they should not result in a conflict of interests. Such conflict is likely to exist where the DPO, being an advisor on data privacy policies and compliance, is also a senior manager who resolves on the implementation of such policies and on the undertaking of new processing activities.
The DPO must be able to perform their duties in an independent manner, i.e. should not receive any instructions regarding the exercise of their tasks. Companies must create organisation structures which permit the DPOs to report directly to the top management. The DPO should not be dismissed or penalised by the controller or the processor due to performance of their tasks.
If a DPO has been appointed as an employee, the DPOs’ independent status might contradict some rules of the effective employment legislation in Bulgaria which provides high level of protection to employees with respect to the grounds for dismissal and disciplinary measures. In such cases, appointing an external DPO might be a preferable option.
When is it mandatory to appoint a DPO?
The designation of a DPO is mandatory:
- where the controller or processor is a public authority or body;
- if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- if the core activities of the controller or the processor consist of processing on a large scale of special categories of data (sensitive data) or personal data relating to criminal convictions and offences.
The GDPR stipulates that, in the private sector, “the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities”. Primary activities are either part of a company’s business (e.g. internet service providers or telecom companies processing their clients’ traffic data) or activities which are inherently connected with the company’s business (a hospital processing data related to its patients’ health). Processing employees’ personal data is likely to be considered an ancillary activity.
“…processing on a large scale…”
Appointment of a DPO is mandatory where the controller’s core activities consist of processing operations performed on a large scale. The GDPR does not indicate how to determine a large-scale processing. According to the Article 29 Working Party, the following factors must be taken into account:
- The total number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data being processed;
- The duration, or permanence, of the data processing activity;
- The geographical extent of the processing activity.
“…require regular and systematic monitoring…”
Regardless of the categories of personal data processed, appointment of a DPO is mandatory where the company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
The GDPR hardly gives any indication what a regular and systematic monitoring is. A regular and systematic activity may be any activity which is performed repeatedly (either at fixed times or at intervals) and according to a predetermined system (process). Telecom operators, internet service providers, search engines, online marketing or location-tracking applications inevitably have to perform regular and systematic monitoring of data subjects as a part of their core activities.
“…special categories of data or data relating to criminal convictions and offences…”
Regular and systematic monitoring of data subjects is irrelevant where certain sensitive categories of personal data are processed by a company on a large scale. Such data is specified in Articles 9 and 10 of the GDPR, e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data etc. In these cases, appointing of a DPO is mandatory.
- Perform as soon as possible an internal analysis on the need to appoint a DPO and, regardless of the results, document the entire process so as to stay in line with the accountability principle.
- If in doubt whether appointing a DPO is mandatory for your organisation, err on the side of caution and appoint a DPO. Failure to do so (if mandatory) is in itself a formal breach of the GDPR subject to a hefty fine. In any case, a DPO would help ensure the overall GDPR compliance process within the company.
- Mind that compliance with the data protection legislation is a multidisciplinary task. Whether your DPO is a legal, IT or other cyber security professional, you will always need both legal and IT expertise within the team.
The information contained in this post is not intended to and does not constitute a legal advice under Bulgarian law or under the laws of any other jurisdiction and is provided for informational purposes only.