The Office of the Data Protection Commissioner recently shared its advice on who needs a Data Protection Officer, their role, responsibilities and obligations...
The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).
The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.
The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.
A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
Who needs a DPO?
Public Authority or Body?
Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law.
It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO.
Core activities can be defined as the key operations necessary to achieve an organisation’s (controller or processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities.
While the GDPR does not define large-scale the following factors should be taken into consideration;
Examples of large-scale processing include:
Examples that do not constitute large-scale processing include:
Regular and systematic monitoring
Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.
‘Regular’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one or more of the following:
‘Systematic’ is interpreted as meaning one or more of the following:
Examples would likely include operating a telecommunications network; data driven marketing activities; profiling and scoring for purposes of risk assessment (eg fraud, credit scoring, insurance premiums); loyalty programmes, CCTV, and connected devices (eg smart cars)
Special Categories of Data – these include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences.
Further information and guidance
Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In particular, these guidelines set out the position of the EU’s data protection authorities on matters such as: