This special report looks at new the role of Data Protection Officials in Europe, specifically Belgium, France, Germany, Italy, The Netherlands, Sweden and the UK.

Data Protection Official (DPO) in Europe

Art. 18 (2) of the EU Data Protection Directive 95/46/EC of 24 October 1995 provides that Member States may choose to exempt companies that have appointed a DPO from the duty to notify, i.e. register, their processing of personal data with the supervisory authority. The Directive provides that the DPO is to be responsible for ensuring, in an independent manner, compliance with local data protection law as well as keeping a register of the processing operations carried out by the data controller. The register must contain the items of information referred to in Article 21 (2) of the Directive.

Not all Member States have taken advantage of this exemption. For those that have, the requirements, responsibilities and rights of a DPO can be quite varied as the country specific sections below make clear. For those that have not, it can be useful to consider appointing someone with similar functions in order to provide for a good internal privacy organisation. Also, what has to be noted is that only recently the Article 29 Working Party, in view of the positive findings of those Member States in which DPOs have already been introduced, recommended a broader use of DPOs as a substitute to notification duties (WP 106 adopted on 18 January 2005).

Belgium - Peter van de Velde

Belgium has not implemented this part of the Directive and, so far, there are no discussions to do so either. Organisations are, thus, free to appoint a DPO on a voluntary basis but without any statutory requirements or recognition. Normally, DP issues are handled by the company legal departments (or, in the absence of "legal", by IT people).

France - Ariane Mole

Data Protection Correspondent in France: a new challenge?

The new French Data Protection Act voted on 6 August 2004, provides that public or private bodies can choose to appoint a "Data Protection Correspondent" (DPC) under article 22.

There is no obligation to appoint a DPC, even though the French Data Protection Authority (CNIL) strongly encourages it. However, firms or other bodies that choose to appoint a DPC will be exempt from any declaration to the CNIL but not from the prior authorisations required for certain categories of processing considered as sensitive, and in the case of data transfers outside the European Union. Multi-national companies and companies working within countries outside the European Union may be less interested in appointing a DPC.

A decree (expected for the first half of 2005) will be adopted to define the qualifications and tasks of the DPC.

Who can become a Data Protection Correspondent?

The Act does not specify whether the DPC will have to be chosen inside the structure or if it will be possible to appoint an external council. This will be defined by a decree.

The CNIL formed a working group which issued, on 23 November 2004, its recommendations on this issue. The CNIL considers that a DPC should only be appointed outside where data controllers are small structures (the level of which should be defined by decree) which, therefore, need to share their correspondent.

In other cases, the correspondent should be a principle appointed inside the company or public body.

The decree will define the legal and technical qualifications required for Data Protection Correspondents.

Status of the Data Protection Correspondent

The role of the DPC is independent as they represent both the CNIL inside the company and the company before the CNIL. Their appointment must be notified to the CNIL and to the works representatives and no DPC can be dismissed of their functions without requiring prior permission from the CNIL. However, an amendment seeking to confer them with the specially protected status (guaranteeing their continued employment within the company) has been rejected during a debate before the Senate. The creation of such a function, which would go some way to increasing respect for the data protection Act inside companies, must therefore be carefully considered as the DPCs will have to conciliate competence, independence, objectivity and respect of the companies' interests, while maintaining relationships with works representatives and with the CNIL. While the Act makes clear that a DPC who does not fulfill his role correctly will be "dismissed of its functions", it does not make clear who will be responsible for overseeing the duties of the DPC. Also, since the violation of the Act is punishable, either under civil or under criminal law, the question is who will be liable for these sanctions in cases where a breach of the law occurs.

Germany - Sibylle Gierschmann

Data Protection Official in Germany

As far back as 1977, the first German Federal Data Protection Act provided for a company DPO. Since then, there has always been controversial discussion about the function of a DPO. Whereas in the public sector monitoring of an authority was requested and finally implemented in law, the private sector, on the other hand, fought against such an institution. In the end, the compromise to provide for a company DPO, i.e. someone appointed by the respective company, was implemented in law and still exists today. This concept of self-control is a two-step control system: the company is primarily self-controlled by the DPO, whereas an external administrative control is performed by an official data protection authority on a case-by-case basis.

Accordingly, it is not surprising that during the consultation of the draft EU Data Protection Directive 95/46/EC, the German delegation lobbied heavily for a similar regulation in the Directive. While the Directive makes it optional to have a DPO, under German law a company is required to have one in certain circumstances.

Obligation to appoint a Personal Data Protection Official

According to German law, public authorities are required to have a DPO. Private companies shall appoint a DPO in the following circumstances:

  • they have employed more than four employees to facilitate automatic data processing
  • they have employed at least twenty persons to manually process personal data
  • the kind of personal data or the purpose for which the data is used involves special risks concerning the right and liberties of the data subject, in particular because special categories of personal data are processed or the processing is intended to appraise the data subject’s personality, including his abilities, performance or conduct

Who can become a Personal Data Protection Official?

The DPO has to be a natural person but need not be employed by the company, i.e. it is permissible to appoint an external DPO with the required knowledge. At a minimum he is required to have basic knowledge of the data protection laws, a basic understanding of business matters as well as processes and techniques of data processing specific knowledge of the company he is employed by.

Furthermore, the DPO needs to be reliable. This means that he needs to have personal integrity and no conflict of interest. Regarding the latter requirement the Data Protection Authorities are of the opinion that IT director or HR director, as well as executives of the company, are not qualified.

Appointment and removal of the Data Protection Official

The appointment of the DPO should be made in writing within one month of the start up of the company. The appointment may only be revoked at the request of the Data Protection Authority in compliance with the requirements for an extraordinary termination of contract.

Tasks of the Data Protection Official

The DPO has various tasks, in particular:

  • to work towards ensuring compliance with data protection law although the company remains the responsible party; to monitor best practice of data processing programs and to assess what personal data is to be processed and to familiarise employees involved in the processing of data with the data protection law
  • to examine, prior to their start, automated processing operations which involve special risks for the rights and liberties of the data subject, particularly when special categories of personal data are to be processed or the processing of personal data is intended to appraise the data subject’s personality, including his abilities, performance or conduct

Status of the Data Protection Official within the company

The DPO acts independently. It is a legal requirement that the DPO reports directly to management without being subject to orders of the management with regard to his role in evaluating data protection issues. However, he cannot implement data protection measures against the will of the company.

The company is required to provide the DPO with the necessary personnel, equipment and funds to carry out his role. The data controller must inform the DPO in good time about projects for automatic processing of personal data. Also the company is required to provide the DPO with a register of processing operations carried out by the company and to provide him with information on persons who have access rights to the IT systems. Data subjects may approach the DPO at any time.

The DPO shall be bound to maintain secrecy on the identity of the data subject and on the circumstances permitting conclusions to be drawn about the data subject. In case of an internal DPO he may not be put at a disadvantage regarding other employees, e.g. not be considered for promotion.

Italy - Debora Stella

The Data Protection Official in Italy

Italy has not taken advantage of the exemption provided under art. 18 (2) of the EU Data Protection Directive. The Italian Data Protection law (the DP Code 196/2003) does not require, nor even make reference to, a DPO.

Notwithstanding the lack of rules for a DPO, many companies feel the necessity to identify a qualified person (internal officer/director of the company or, in less frequent cases, external experts) who will supervise and ensure the application of the Data Protection law within the company.

Who can become a Data Protection Official?

Usually the DPO role is assigned to an official/expert who has been appointed also as “data processor”, since he/she carries out processing activities, i.e. person responsible for specific company departments, for example HR officer, or provides consultancy services to the company.

In the absence of specific regulations there are no mandatory requirements regarding the appointment of a DPO or on their duties. Despite this, the “informal” approach to appointing a DPO (either internal officer or external expert), they are usually chosen among officers/experts who are qualified to be “data processor” and they must comply with the “data processor” requirements provided by the Data Protection law:

  • experience
  • capabilities
  • reliability

This ensures thorough compliance with the Data Protection law. In addition, in the case of an internal DPO, the official should also have:

  • funds and equipment necessary to comply with his/her duties
  • powers to make payments necessary to comply with the Data Protection law
  • powers to represent the company before third parties, in relation to the assigned tasks/duties

In practice, DPOs appointed from external sources typically have supervisory duty, as well as a duty to (co-operate) ensure the company is compliant with the Data Protection law, e.g. by identifying all activities required to implement the Data Protection law in the company and to implement it. Companies usually appoint people with whom they are already familiar e.g. external legal/business consultants or IT services suppliers (in particular, with reference to DP security requirements).

More frequently, companies assign the above mentioned duties to internal officials in charge of HR and/or IT departments, or to the internal auditor (this is more frequent in financial organisations or large companies), where they exist. Even if not independent, such officials have more awareness of the way their departments function and are better placed than most members of the board of directors to identify what the company must to do in order to comply with the Data Protection law. They can also suggest what steps need to be carried out in order to be compliant and, if granted with the relevant powers, can implement them. From a practical point of view, companies appoint such officials as “data processors” in relation to the data processing activities carried out within their department and delegate to them the powers necessary to comply with the Data Protection law.

Sweden - Jim Runsten

Data Protection Official in Sweden

A Controller of Personal Data is under no obligation to appoint a Data Protection Official (DPO), or Data Protection Representative as they are called in the Swedish Personal Data Act (1998:204). However, if a DPO is appointed and the supervisory authority, the Data Inspection Board, has received notice of such appointment the Controller of Personal Data is no longer under an obligation to notify the Data Inspection Board of every instance of processing of personal data. The Data Inspection Board has issued a template form for the notification of the DPO.

Who can become a Personal Data Protection Official?

There are no formal requirements on the person who is to be elected as DPO. The only explicit statutory requirement is that the DPO is a natural person. Also more than one DPO can be appointed by the same Controller of Personal Data, in which case the area of responsibility of the DPOs should be defined.

As mentioned above there are no explicit requirements of qualification for a DPO in the Personal Data Act. However, for the DPO to fulfill its function of independently ensuring that the Controller of Personal Data processes data in accordance with the law, the DPO has to possess adequate qualifications and knowledge. The Data Inspection Board provides “start kits” with information and education for DPOs registered with the Board.

Appointment and removal of the Data Protection Official

As mentioned above, a DPO is appointed by the Controller of Personal Data and registered with the Data Inspection Board. The Controller of Personal Data is also required to notify the Data Inspection Board of any removal of a DPO. If the Controller of Personal Data does not notify the Data Inspection Board of the appointment of a DPO, the Controller of Personal Data is still duty bound to notify the Data Inspection Board of every instance of processing of personal data. An incorrect notice is sanctioned by fines or imprisonment of up to two years.

The Personal Data Act does not contain any other provisions regarding the notice to the Data Inspection Board of appointment or removal of DPOs other than that it should state who they are. The Government or the authority appointed by the Government may, however, issue more detailed regulations concerning what such a notification should contain. The Data Inspection Board has issued a form for notification of DPOs which may be used in connection with notifications.

Tasks of the Data Protection Official

The DPO shall:

  • have the function of independently ensuring that the Controller of Personal Data processes personal data in a lawful and correct manner and in accordance with good practice
  • point out any inadequacies to the Controller
  • notify the Data Inspection Board if the DPO has reason to suspect that the Controller of Personal Data is contravening the provisions applicable for processing personal data and if rectification is not implemented as soon as practicable after being pointed out to the Controller of Personal Data
  • also otherwise consult with the Data Inspection Board in the event of doubt about how to apply the rules in the Personal Data Act or regulations which emanates from such act
  • maintain a register of the processing that the Controller of Personal Data implements and which would have been subject to duty of notification if the DPO had not existed. The register shall comprise at least the same information that a notification would have contained. The Data Inspection Board has issued a form for such notification which can be used as a template

The Netherlands - Gerrit-Jan Zwenne

The Data Protection Official in The Netherlands

The Dutch Data Protection Act (“Wet bescherming persoonsgegevens” hereinafter “Dutch DP Act”) provides organisations, both in the public and the private sector, with the opportunity to appoint a Data Protection Official (“DPO” or “the official”). Within the organisation (companies, governmental bodies, trade associations, etc.), the official monitors the processing of personal data and thus the application of and compliance with the Dutch DP Act. Notifications of personal data processing can be made to the official. He is also an expert contact for the controller. He may also act as contact official for the persons about whom personal data are processed: customers, staff members and citizens. The appointment of such an official will lead the national supervisory authority, the Dutch Data Protection Authority (“DP Authority”), to adopt a reticent attitude towards organisations where a DPO is working properly.

According to the DP Authority, the supervisory task of the DPO may imply that he draws up a lists of the processing procedures within the organisation, in particular since such a list is required for determining whether the controller complies with the of the notification obligation. The DPO starts a file with notifications. He can deal with complaints about the use of personal data. Every year, he must produce a report of his activities and findings for the controller. He can advise colleagues and the management on the application of the Dutch DP Act or a code of conduct applicable to the business line. He can also advise on the appropriate security level of the information, household management within the organisation and on measures aimed at the limitation of the processing of personal data.

To enable him to perform his job correctly, the DPO must have the necessary audit powers. Preferably, according to the DP Authority, these must be laid down in an internal arrangement and these must include: the power to access rooms, request information and to inspection and investigate matters.

The controller must take care that the DPO has enough facilities to exercise his powers properly. A clear positioning of the DPO with respect to the management of the organisation that appoints him is essential. At the time of the appointment of the DPO, attention must also be paid to his relationship with the persons of whom information is processed in the organisation. Furthermore, the DPO will act as intermediary between the management of the organisation and the DP Authority, which could adopt a reticent attitude, certainly if the dealing of complaints about the processing of personal data has also been assigned to the DPO.

With respect to the profile of a DPO: the Act requires that he has sufficient knowledge of the privacy regulations and that he is reliable. In practice this usually implies that the official must have the ability of showing great tact.

Who can become a Data Protection Official?

The Act provides that the management of an organisation can institute a DPO. It must be a “natural” person, which means that a works council or commission does not qualify. The concept organisation must be regarded in a broad perspective: it may be a business, government institution or a trade association. The appointment of a DPO does not mean that the powers of the Dutch Data Protection Authority have expired. The DP Authority will distance themselves from the organisation once an official has been appointed.

Some statutory requirements apply to the DPO. In particular he must have sufficient knowledge, be reliable and take up such position in the organisation that he is capable of carrying out independent supervision. The organisation that appoints him must also give him the opportunity to perform his job properly. This way, the Act provides that the DPO cannot receive instructions from the controller or from the organisation that has appointed him. Obviously, the official has a confidentiality obligation. Just like the members of the works council, the DPO may not be harmed as a result of carrying out his job. He must also have the necessary facilities at his disposal. The appointment of a DPO must be notified to the DP Authority, which keeps a list of organisations with these officials. Finally, the DPO must produce an annual report.

Appointment and removal of the Data Protection Official

The DPO must be able to perform his work independently. However, this must not isolate him from the management of the organisation. On the contrary, they must be in pretty close contact. The DPO can hold a staff position that is closely related to the management of the organisation, for example, a position within the legal department.

The Dutch DP Act does not make clear provisions on the scope of the DPO’s supervision. Neither at the bottom (various DPOs within one organisation), nor at the top (one DPO for various organisations) has a distinct line been determined. There are obvious parallels between supervision and responsibility, in other words: one DPO per (main) responsible. The notification form, means by which the controller notifies the data protection official to the DP Authority, requires a description of the scope of his supervisory job.

In the case of a conflict between the DPO and the controller, the controller has the last word. However, the DPO cannot be impeded in the performance of his tasks. His advice is not binding though. The controller has, according to legal history, the freedom to take various decisions.

The legislator has declared some provisions from the Works Councils Act (“Wet op de ondernemingsraden”) which are equally applicable to the DPO. As a result of this he will obtain the same level of protection as the members of a works council. This has as consequence that his employment cannot be terminated without prior consent of the subdistrict court (“kantongerecht”). The court only grants their consent if it seems plausible to them that the termination is not related to the DPO’s work. The intention of this provision is to protect the independence of the official. The DPO may not be prejudiced with respect to promotion prospects or the distribution of work because of the DPO’s function.

Tasks of the Data Protection Official

The DPO supervises the assessment of whether the personal data within the organisation that has appointed him is processed in compliance with the DP Authority. If there is also a code of conduct for data processing within the organisation, the official’s supervision also includes compliance with this code of conduct. The supervision may result in recommendations for dealing with personal data in the organisation in which the DPO is working. The Act, therefore, gives the DPO the opportunity to make recommendations to the controller that assist in better protection of the data that is processed. If desired, the DPO can enter into consultation about this with the external supervisory authority, the Dutch DP Authority.

  • Supervision. In order to be able to represent the interests of both the controller and the persons involved in an efficient way, i.e. the persons whose information is processed, a DPO can be appointed as internal supervisor. In practice, the way in which the DPO fulfils his supervisory duty within the scope of his powers strongly depends on the nature of the organisation and the data that are processed. In general it is advisable that the DPO systematically investigates the way in which personal data is processed and protected. If necessary, he can be supported by (external) specialists.
  • Inventory. Understanding the processing of personal data is an important condition for exercising efficient supervision. The DPO can reach this through an inventory of the processing processes within the different parts of the organisation. This way, he can, inter alia, map the data streams and indicate whether there is a notification obligation of data processing. For this matter, the obligation to notify lies with the controller and not on the DPO. It is obvious however that the DPO plays a supporting role in this.
  • Notification. With the appointment of the DPO, the controller can notify the DPO of personal data processing that takes place. As a result, this no longer needs to be made to the Data Protection Authority. The DPO keeps a file of notifications made to him. For example, through the installation of a (virtual) office window within his organisation, he gains insight into the size, nature and points where personal data is processed. It remains the duty of the controller to organise the notification procedure properly. It is also possible that the (electronic) notification programme of the Data Protection Authority is employed for internal use.
  • Complaints. Dealing with complaints about the use of personal data can form part of the DPO’s job responsibilities. In order to efficiently deal with the complaints of persons involved, it is important that the DPO can be recognised and reached easily. In order to achieve this the company could post his details on their website. It is also possible to let complaints that are related to personal data processing pass through a complaints officer (committee) or customer service department. In this case, the DPO can work as a specialist behind the scenes.
  • Reporting. The DPO has the statutory duty to draft a report of his activities and conclusions. In view of the DPO’s position, he reports to the controller in the first instance. Subsequently, the controller may also make the report more widely available. During processing by the DP Authority, the hope has been expressed that, as part of the quality policy, the organisation sends the report to, inter alia,the works council, customer relationships and the Data Protection Authority. The DPO’s report can also be integrated in the organisation’s general annual report.
  • Information. Within his organisation, the DPO can become an oracle for the employees. Also it is perfectly suitable to give information about dealing with personal data or training sessions to the DP Authority. Current developments within the business line in question can give rise to additional information by the DPO. It is a real art to translate the abstract privacy rules into concrete standards for an organisation. Because of his specialised knowledge of the organisation, the DPO must be able to achieve this.
  • Advice. Because of his knowledge of the organisation and his specific expertise, the DPO can give fast and efficient advice. This applies to colleagues, for example, when questions arise about the application of the DP Authority or about the privacy code of conduct that is applicable to a business line. Additionally individuals can also be advised when they have complaints about the processing of their personal data within the organisation. Finally, the management may also need advice about matters that are related to the processing of personal data.
  • Development of standards. Efficient supervision may imply the development of standards. There may be a need for one or more internal arrangements that are focused on the specific processing within an organisation. The DP Authority has not made this obligatory. It may be practical for the DPO and the organisation within which he is working to develop such arrangements. If the DPO works on business line level, he may be able to provide valuable input to implement or adapt a code of conduct (as referred to in section 25 of the Act. Such code of conduct forms a binding framework for the exercise of his duties too.
  • Technology and protection. The controller is obliged to take appropriate technical and organisational measures in order to protect personal data from loss or from any form of unlawful processing. The DPO can also advise on this point and can advise the controller.

United Kingdom - Ruth Boardman

The Data Protection Official in the United Kingdom

Organisations in the United Kingdom are not obliged to appoint a DPO. Indeed, the Data Protection Act 1998 makes no reference to such a person at all.

Despite this lack of statutory recognition of the role, an increasing number of companies are appointing data protection, or privacy officials.

Who can become a Data Protection Official?

As there is no statutory recognition of the role of a Data Protection Official, there are no mandatory qualifications or experience for being appointed a Data Protection Official.

In practice, most Data Protection Officials tend to have the following backgrounds:

  • legal (probably the minority)
  • IT experience (this is because the old UK legislation in this area, the Data Protection Act 1984, only applied to computerised records)
  • experience at the Information Commissioner’s Office (the UK data protection authority)

Organisations that do not appoint a separate Data Protection Official tend to make either their legal or compliance departments, or the IT function, responsible for data protection.

In practice, perhaps the two most important skills for a Data Protection Official are:

  • an ability to win the confidence of management – so as to ensure that data protection is treated seriously and that all persons within the organisation understand when they should consult the data protection officer for advice on new uses of personal data
  • a pragmatic approach to compliance: not just advising on what the Act prohibits, but also advising on ways in which an organisation’s business objectives may be met within the constraints of the Act, e.g. by use of aggregated or anonymised data in some situations