Data Protection Officer: “When” do you need one and “How” do you need one?

There are a lot of questions being asked about the role of the data protection officer (DPO) and when and where one is needed under the GDPR. In this first blog on DPO, we will cover the following questions: What is a DPO? When and where is a DPO needed? And how to structure the DPO position inside an organization?

The general provisions on DPO are covered under the Section 4 of the GDPR, or more specifically under the articles 37, 38 and 39. Those articles respectively cover the designation of a data protection officer, its position, as well as the tasks he is entitled to perform.

In order to clarify this provision as well as to respond to some questions that were left open, the Article 29 Working Party published a guideline on Data Protection Officer. Two versions of that guidance were published. A draft guidance, from December 2016, answering some of the major questions but leaving others open. A final version, adopted 5 April 2017, making things more transparent.

Defining a data protection officer

A DPO is an enterprise security leadership role required by the GDPR for all companies that collect or process EU citizens’ personal data. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

Designation of a data protection officer – Do you need a DPO?

Data protection officers have to be designated for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both.

Article 37(1) of the GDPR requires the mandatory appointment of a DPO in three specific cases a) , b) and c). We will review those three cases and, through the analysis of the guidance, we will try to have a clearer understanding of each those.

a) Where the processing is carried out by a public authority or body;
– Public authority or body
The GDPR does not define what constitutes a “public authority or body”. Nevertheless, the Working Party 29 covers this gap and highlights that public authorities and bodies include national, regional and local authorities. Moreover, the concept also includes a range of other bodies governed by public law (e.g. public transport services, water and energy supply, road infrastructure, etc).

b) Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
– Core activities
These are the key operations necessary to achieve the controller’s or processor’s business’s goals. It does not include the processing of personal data as ancillary activities (e.g. payroll) but does include the processing which forms an inextricable part of a business’s activity. The WP29 suggested an example of a hospital: the core activity is to provide healthcare, but in order to provide healthcare safely and effectively, the hospital has to be allowed to process health data, such as patients’ health records.

– Monitoring of the behavior of data subjects
This concept is defined in the Recital 24 of the GDPR. In order to determine whether a processing activity can be considered as monitoring the behavior of data subjects, it should be ascertained whether natural persons are tracked and profiled over the internet, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.

– Regular monitoring
The Working Party 29 interprets “regular” as ongoing or occurring at particular intervals, repeated at fixed times and/or constantly or periodically taking place.

– Systematic monitoring
“Systematic” means occurring according to a system and/or taking place as part of a general plan for data collection as well as carried out as part of a strategy.
Examples of regular and systematic monitoring activities include email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment, location tracking, loyalty programs, behavioral advertising, etc.

– Large scale
The GDPR does not define what constitutes large-scale processing, though recital 91 provides some guidance. Recital 91 states that the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.

The same goes for the Article 29 Working Party, which does not give a precise number either with regard to the amount of data processed or to the number of individuals concerned. However, the guidance sets a list of factors to consider when defining “large scale” processing: number of data subjects concerned, volume of data being processed and duration as well as the geographical extent of the processing activity etc.

Examples of large scale processing include: The processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in providing these services; The processing of customer data in the regular course of business by an insurance company or a bank; The processing of personal data for behavioral advertising by a search engine; The processing of data (content, traffic, location) by telephone or internet service providers.

Moreover, it is worth mentioning that organizations relying upon cloud-based storage providers will not be exempted from complying to the GDPR. This means that if an organization is using Amazon Web Services, Google Cloud or Microsoft Azure, it will not be able to blame Amazon, Google or Microsoft for failure to comply with the GDPR.

Designation of a data protection officer – How to structure the DPO position?

Article 37(2) allows a group of undertakings to designate a single DPO provided that he or she is “easily accessible from each establishment”. This notion of “easily accessible” raises some questions related to the character of a Group DPO, a Team DPO, an external DPO or even a part-time DPO.

– Group DPOs
The GDPR allows group companies to appoint a single DPO, as long as they are “easily accessible” from each establishment of the group. The Working Party 29 guidance interpret this notion of accessibility and personal availability in light of two elements: 1) DPO must publish their contact details; 2) DPO must communicate in the language(s) of the supervisory authorities and data subjects concerned.

Moreover, if a group has establishments inside and outside of the EU, the Working Party 29 specified that the DPO should be located within the EU.

Furthermore, as effective as a Group DPO may sound to organizations, this notion remains blurry. How will this work in practice for the DPO of an organization established in a large number of time zones covering data subjects speaking dozens of different languages?

– Team DPOs
The guidance of the Working Party 29 specifies that the DPO may perform its functions “with the help of a team”. Therefore, while GDPR mainly refers to DPO as an individual, this allows us to rationalize that in reality the DPO of large organizations will head of a team of deputies.

– External DPOs
According to Article 37(6) of the GDPR, the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. This means that the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organization.

– Part-time DPOs
The GDPR states the DPO may combine the role with another. The Working Party 29 added that the other role cannot be a position in which they are determining the purposes and means of processing (e.g. CEO, Head of HR or Head of IT). Working Party 29 also highlighted that part-time DPOs may also be a team.

– Shared DPOs
Most small- to medium-sized businesses across Europe are unlikely to require the services of a DPO on a full-time basis. GDPR and the Working Party 29 are highlighting the fact that DPOs can be shared across organizations so long as their role in each is not compromised or diminished by another.

– Virtual DPO
Virtual DPO can be viewed as a third-party outsourced offering that offers a DPO presence for an agreed number of days per year.

Bibliography
Amaye, N. (2019, September 30). News / Articles. Retrieved from DPO Circle: https://dpocircle.eu/content.aspx?page_id=5&club_id=341464&item_id=39021&