In February 2016, as part of its action plan of activities for the implementation of the General Data Protection Regulation ("GDPR"), the Article 29 Working Party ("A29WP") promised to publish guidance on the operation of the GDPR's provisions regarding the requirement for controllers and processors to appoint a Data Protection Officer ("DPO").
That guidance was published on 16th December – a copy is available here (the "Guidance").
Some of the key points raised by the A29WP in its Guidance are as follows:
When is a DPO appointment obligatory? – The Guidance unpacks some of the GDPR's terminology so it is worth starting with a reminder about when the Regulation says that a DPO appointment is obligatory. Three scenarios are mentioned (and the Guidance goes on to summarise what the words in bold/italics below mean), namely where:
Processing is carried out by a public authority (other than certain courts);
The core activities of a controller or processor consist of processing which require:
regular and systematic monitoring of individuals on alarge scale given their nature, scope, and/or purpose; or
large scale processing of sensitive data or criminal records; or
A Member State's law requires a DPO to be appointed (likely in countries such as Germany).
"Public authority": The Guidance says that each Member State's laws should define what constitutes a public authority, and also that bodies which are subject to public law should also fall within this definition. So providers of utility services, transport infrastructure and public broadcasting services in many countries are likely to have to appoint a DPO under the GDPR.
"Core activities": Activities which are 'an inextricable part' of the controller's/ processor's pursuit of its goals are cited. Reassuringly the Guidance confirms that a company's processing of staff information (which will inevitably include sensitive data) is ancillary to its activities, not core. Examples of core activities given include, a security company's surveillance where it is hired to safeguard a public space, a hospital's processing of patient health data and an outsourced provider of occupational health services processing of employee data.
"Regular and systematic monitoring": All forms of on-line tracking and profiling are called out as examples, including for the purpose of behavioural advertising and email retargeting. Other interesting examples cited include: scoring (e.g. for credit scoring, fraud prevention or for the setting of insurance premiums); location tracking; fitness and health data tracking; CCTV; and processing by connected devices (smart meters, smart cars etc.).
"Large scale": The A29WP is not currently keen on precise numbers being used as a benchmark for this term, although the Guidance notes that plans are afoot to publish thresholds. Instead the Guidance lists some fairly obvious factors to be considered in defining large scale (e.g. the number of individuals affected and geographic extent of processing). Examples of large scale processing cited include: a bank or insurance company processing customer data; and processing of an international fast food chain's customer geo-location data in real time for statistical purposes by a specialist processor.
What about voluntary DPO appointments – The A29WP encourage these, although given the prescriptive nature of the requirements for the DPO role which the Guidance sets out (summarised below) it remains to be seen how comfortable organisations will be to follow this lead. The Guidance confirms that where a DPO is appointed on a voluntary basis the same requirements as set by the GDPR to mandatory DPO's will apply to them (e.g. regarding independence, freedom from unfair dismissal, obligation to publish their contact details etc.). Interestingly, the Guidance recommends that an organisation which decides not to voluntarily appoint a GDPR DPO documents why it think that it is not subject to the mandatory DPO appointment criteria (as summarised above).
Will DPOs be personally liable if their organisation fails to comply with the GDPR? – No. The Guidance is clear on this point. Controller and processor organisations are obliged to ensure that they comply with the GDPR not individual DPOs.
Can an external DPO be appointed? – Yes, so long as the GDPR's requirements including regarding impartiality, knowledge of the organisation to which the DPO is appointed and accessibility are met. The Guidance stresses that the terms of an external DPO's appointment should be clearly laid out in a service contract and that the external DPO's title, status, position and tasks be clearly agreed.
Can a group of companies appoint a single DPO? – Yes, again so long as the GDPR's requirements mentioned at 4) are met. The Guidance makes an interesting point in relation to accessibility. DPO's are required to be accessible to data subjects and regulators. The Guidance makes the point that this is will not be possible unless the DPO can communicate in the languages which the data subjects (for instance customers and staff) and regulators which the organisations which he/she represents are likely to speak. It seems that the A29WP expect DPOs in multi-national groups to be data protection experts and multi-linguists (or at least to have access to good translation mechanisms).
What skillsets are required of a DPO? – The Guidance repeats the list included within the GDPR (e.g. expert knowledge of data protection laws and practices). Interestingly it notes that a higher level of expertise is required the more complex and/ or sensitive the personal data which is processed by the organisation, or the greater the volume of data processed.
Publication of the DPO's contact details – This is required by the GDPR. The Guidance clarifies that the name of the DPO does not need to be made publicly available but that it should be published to all relevant regulatory authorities and members of staff. Other members of the public need only to be given sufficient information to enable communications to easily reach the DPO, e.g. a dedicated email address published on a website.
The DPO's role – The A29WP stress that organisations which appoint a DPO must ensure that the DPO is involved in all issues relating to data protection at the earliest stage and that the DPO's primary concern should be enabling GDPR compliance of the organisation. In so doing the DPO must be involved in key decisions (access to senior management is mentioned) and be given necessary resources (including support, budget, facilities and training). If a security breach occurs the Guidance says that the DPO must be promptly consulted.
What if management disagree with the DPO? – The Guidance states that no instruction must be given to the DPO regarding how to deal with a matter, what results should be achieved or whether or not to consult with a regulatory authority. As a matter of good practice, should management disagree with a DPO then the reasons for not following the DPO's advice should be documented. DPOs should not be dismissed or penalised (including indirectly via, for instance, prevention of career development) for performing their tasks – to do so would constitute a breach of the GDPR.
What about conflicts of interest? – The GDPR does not restrict DPOs from holding other posts but expressly requires that organisations ensure that such other tasks do not give rise to a conflict of interest for the DPO. The Guidance goes further and states that a DPO cannot hold a position which leads him/her to "determine the purposes and the means of the processing of personal data". It remains to be seen whether regulators feel that CISOs or CIOs can perform the DPO role.