Under specific conditions the GDPR requires you to appoint a Data Protection Officer or DPO.
While it’s recommended to have someone who is responsible for data protection and General Data Protection or GDPR compliance (with a clear role and place in the organization), the Data Protection Officer is only mandatory in three circumstances.
You need a Data Protection Officer in following cases:
- The processing (of personal data) is done by public authorities or a public body, with an exception for courts and independent judicial authorities.
- The processing is done by processors who regularly and systematically observe ‘data subjects’ (EU residents) on a large scale.
- The processing involves specific ‘special’ data categories (which are defined in the GDPR), again on a large scale, as processing these special types of personal data is part of your core business. Data regarding crimes and convictions are included here.
Skillset and duties of the Data Protection Officer
A challenge that arises is that the text doesn’t say what exactly ‘large scale’ means although in the list of resources below there are some attempts to put some numbers on it.
Attention though: the numbers that existed in proposals of the GDPR do not exist in the final text. So, you don’t need a DPO when you employ over 250 people nor when your process over 5,000 personal records (even if you will find resources or presentations that say so).
According to the text of the GDPR, as it is published in the Official Journal of the European Union, the Data Protection Officer must:
- Have expert knowledge of data protection, both law and practices, including the GDPR obviously.
- Help the data controller or data processor by monitoring internal compliance with the GDPR (the data controller and processor also need to assist the Data Protection Officer in performing his duties).
- Be able to perform their duties and tasks in an independent manner (although they can be employed by the data controller, in Germany Data Protection Officers have been employed since quite some time).
In none-legalese: you only need a DPO in three specific circumstances. If you are an organization that falls under one or more of these three, you can appoint an external Data Protection Officer or appoint someone within your company.
Moreover, the DPO does not need to be a full-time job so they can be employees with other tasks as well (as long as there are no conflicts of interest).
However, when they are performing duties in the scope of their role as DPO, they must be enabled to work independently whereby reporting is done directly to top management. And do we need to add that a DPO is bound by secrecy and confidentiality?
There is also a duty of registration of the DPO with the European Data Protection Supervisor.
Last but not least, a DPO can work for several organizations but at the same time he/she is the Single Point of Contact for the organization(s).
Resources regarding the Data Protection Officer
Below are more resources on the role, skillsets and duties of the Data Protection Officer.
The Data Protection Officer and the number of employees
Attention: an often made mistake concerns organizations with less than 250 employees. Amendments have been made and the published text mentions these companies at two occasions:
In the introduction (13): “To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC”
In article 30 regarding the records of processing activities (about the maintaining of a record of processing activities and of a record of all categories of processing activities carried out on behalf of a controller) the data protection officer is mentioned as a possible responsible for these records of processing activities (“where applicable”).
Yet, the text clearly states that “the obligations referred to in paragraphs 1 and 2 (note: the two paragraphs in article 30) shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10″.
- The mentioned article 9 concerns personal data regarding highly personal characteristics of the data subject (e.g. race, religion, trade union membership, genetic data, sexual orientation and so forth).
- The mentioned article 10, as article 30 already says, is about data relating to criminal convictions and offences.
Nowhere in the articles with regards to the conditions about the duty to have a Data Protection Officer, the number of employees is mentioned.
In other words: beware as it’s the nature of data processed and nature of the organization with regards to data processing activities that comes first in the DPO duty context as mentioned and the exceptions for organizations with less than 205 employees in general are not absolute. .
Top image: Shutterstock – Copyright: Jirsak – All other images are the property of their respective mentioned owners.