Under the General Data Protection Regulation (GDPR), both controllers and processors must appoint a Data Protection Officer (DPO) in certain specified circumstances.
Article 35 of the GDPR makes it clear that the obligation to appoint a DPO applies:
(a) To all public authorities processing personal data (except for courts acting in their judicial authority); or
(b) Where the “core activities” of an entity involve “regular and systematic monitoring of data subjects on a large scale”; or
(c) Where the “core activities” of an entity involve “large scale” processing of “special categories of data”.
We have yet to see any guidance on what is meant by “core activities” and “large scale“.
The GDPR might offer the possibility that many companies (e.g. cloud service providers) will not have to appoint a DPO if they are not undertaking any online behaviour tracking or profiling activities and/or processing any special categories of data. Even if they are undertaking such activities, they will still be exempt from the requirement to appoint a DPO, if they can show that such activities are not “core” to the business.
However, Member States will still have discretion to enact national provisions imposing further requirements on the appointment of DPOs. This therefore raises the possibility that local requirements in one Member State may be more stringent than in another Member State.
Article 35(2) of the Regulation provides that a “group of undertakings” (e.g. a parent company and its subsidiaries) may appoint a single DPO, provided that the DPO is easily accessible from each local European establishment.
The GDPR does not identify the precise credentials DPOs must carry, but does require that they have “expert knowledge of data protection law and practices.” A DPO may be either an employee of the organisation or an external third party providing DPO services.
According to Article 37 of the GDPR, the following tasks will form part of a DPO’s role:
In addition to setting out the responsibilities of DPOs, the GDPR also grants them certain rights and benefits. Companies will be required to provide DPOs with the necessary company resources to fulfill their job functions and for their own ongoing training. DPOs must also have access to the company’s data processing personnel and operations, having significant independence throughout the performance of their roles, and a direct reporting line “to the highest management level” of the company. They are also shielded from dismissal or penalties for performing their tasks.
With regards to liability, the GDPR does not indicate that DPOs can be held personally liable in case of a failure to perform their obligations; at the same time the Regulation does not stipulate that cases of negligence are exempt from liability.
For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.