The EU Regulation 2016/679 on the protection of personal data (GDPR) repealing Directive 95/46/EC focusses, among the others, on a particular topic that will be governed by new specific and more consistent rules: the Data Protection Officer (DPO).
This figure is already well known to European companies and institutions, but the GDPR finally clarifies and harmonizes the criteria of appointment, the role and the requirements of the DPO for the business operating and all other entities.
What´s new on DPO with the GDPR?
Article 37 of the GDPR prescribes that DPOs must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, defined in Article 9). The DPO shall, according to Art 37 “be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. No details are provided regarding the skills or qualification of the DPO, but the Regulation specifies that the DPO´s level of expertise should be proportionate to the tasks he or she is carrying on within the entity. A DPO can be internal or external, this means that the entities, can decide to appoint an employee as DPO or an external consultant. This last point remains the same. The new regulation also specifies, at Art 39, which are the tasks of the DPO:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments when required under Article 35.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
It is important to stress that the GDPR grants to DPOs a super partes position that ensures those professionals the possibility to perform their duties in an independent and autonomous manner. According to Art 38 of the GDPR, the DPO shall indeed:
- Be involved properly and in a timely in all the issues related to personal data.
- Receive no instructions from the data controller and processor.
- Be supported by the data controller or processor in performing the tasks by receiving all the necessary resources.
- Report directly to higher management.
Which is the current framework regarding DPOs in Europe?
Diversity is the key word in describing the current requirements that EU Countries prescribe regarding the appointment and the role of a DPO. Most of the European Countries do not currently dictate any obligation to appoint a DPO, nevertheless there are a few exceptions. In some Countries like The Netherlands, Poland or Latvia, companies that decide to appoint a DPO are exempted from notification/registration of processing activities to the Data Protection Authorities. Exemption from notification duties is the main benefit that companies earn if they appoint a DPO. As a further benefit from appointing a DPO, of course there is the preparation to the new GDPR compliance. Other Countries, instead, prescribe an obligation to appoint a DPO if certain conditions are in place. This is the case of Italy, where entities that are handling health-related files in electronic form are required to appoint a DPO or Hungary, where specific entities among which financial institutions, have the obligation to appoint a DPO. Some of the European Countries have already more stringent rules in place with regard to the appointment of a DPO: Germany and Croatia, for example. In Germany, there is an obligation to appoint a DPO for Public Authorities and for companies that have at least nine people employed in the automated processing of personal data, or at least 20 people who are engaged in non-automated data processing. In Croatia instead, a DPO must be appointed whenever the data filling system controller has employed more than 20 people.
With regard to the conditions that a DPO should held, we can spot a sort of harmonization among the European Countries. The most important common principle is the independency. Some national laws prescribe that the DPOs should be free from any instruction from the data controller or data processor and he/she should always perform the duties autonomously. In some European Countries the appointment should be done in writing and/or communicated officially to the Data Protection Authority. Integrity and confidentiality are also two characteristics that the DPO should hold according to the current legislation.
Why companies should appoint a DPO?
Although appointing a DPO looks like an unnecessary burden for companies, it has a lot of positive implications and can contribute to an effective corporate governance management. Centralizing the data protection issues not only reduces administrative burden, but also facilitates compliance with legal requirements. For multinationals or group of companies performing complex data processing activities and cross-border data flows, having a centralized data protection management becomes of outmost importance. Having an effective compliance management system can reduce the authority interventions and avoid unnecessary costs for dispute resolutions. Las but not least, handling personal data in an efficient and transparent way will also help the company to build a strong reputation in the market.