The Article 29 Working Party Issues Final Guidelines on Data Protection Officers ("DPO")

11 April 2017

Ruth Boardman, Ariane Mole, Gabriel Voisin

At its plenary session on 5 April, the Article 29 Working Party ("WP29") approved revised guidance interpreting elements of the General Data Protection Regulation ("GDPR"), including on the appointment of data protection officers.

The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017. You can find our summary of the December 2016 highlights here.

Some of the new points raised by the WP29 in its final guidance are as follows:

1. Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime

When controllers and processors determine whether or not a DPO is required, they should keep a copy of their analysis in their records as this assessment falls within the scope of their wider accountability obligations.

The final guidelines provide that this evaluation (i) can be requested by the competent supervisory authority at any time and (ii) must be revisited every time new activities and services are contemplated. Given the increasing legal consequences that such analysis will create, controllers and processor are advised to proceed with care when making their DPO assessment.

2. No "a la carte" DPO appointments

When controllers and processors appoint a DPO (whether on a mandatory or voluntary basis), this person becomes responsible for all the processing activities carried out by the organisation.

It will therefore not be possible to circumscribe the role of the appointed DPO to only a portion of the organisation's activities and keep him away from the rest.

3. Big data now an example of 'regular and systematic monitoring'

As originally noted all forms of on-line tracking and profiling are called out as examples, including for the purpose of behavioural advertising and email retargeting.

The final guidelines go one step further and add a reference to "data-driven marketing activities" so as to catch for instance big data-style operations.

4. Preferably, the DPO should be located within this EU

The final guidelines suggest that this is indeed the way for controllers and processors to ensure that their DPO is accessible (unless those organizations have no presence within the EU and the DPO activities will be better carried out outside of the EU).

5. There can only be one DPO, but supported by a team

Although the final guidelines confirm that only one DPO can be appointed (preventing the "virtualization" of the role between various individuals), this person can receive help and support from a team. Multiple additions can be seen throughout the document to confirm this point.

This clarifies one point of the initial draft guidelines, which provided that the DPO must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities in the language or languages used by the supervisory authorities and the affected data subjects. This point had raised criticisms as it seemed to imply that the DPO must speak all EU languages. The amended guidelines now make it clear that such communications in the various EU languages can be done by the DPO “with the help of a team if necessary”.

6. Duty to ensure the confidentiality of communications between the DPO and employees

The final guidelines confirm a need to put in place "secure means of communication" between employees and the (internal or external) DPO to ensure the confidentiality of their exchanges. This for instance would be ensured by the physical presence of the DPO on the premises of the employees or the establishment of a hotline. The suggestion here is that the secure means of communication must be free of monitoring technologies.

7. Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO

The GDPR does not restrict DPOs from holding other posts but expressly requires that controllers and processor ensure that such other tasks do not give rise to a conflict of interest for the DPO.

The final guidelines identify two groups of situations likely to generate conflict of interests:

  • Internal appointment: DPOs having senior management positions (e.g. CEO, COO, CFO, Chief Medical Officers, Head of Marketing, HR or IT) will not be eligible for DPO positions. The same would be true for people having lower roles within the organization of the company if their roles lead to the determination of purposes and means of processing; and

  • External appointment: If an external DPO (e.g. a lawyer) provides day-to-day DPO services to controllers or processor, this may prevent this individual from representing those entities before courts in cases involving data protection issues.
8. The GDPR does not prevent the DPO from maintaining records of processing

Under the GDPR, the DPO is not in charge of maintaining records of processing activities, whereas this is an important part of the DPO’s current duties under local data protection laws in France and Germany. The amended guidelines now provide that nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controller or the processor. The amended guidelines also provide that such records should be considered as one of the tools enabling the DPO to perform its tasks of informing and advising the controller or the processor, and monitoring compliance with the Regulation.

The revised guidance on DPO is available here. For a redline comparison with the earlier draft, click here.