The Data Protection Officer (DPO) has an important role in the legal framework created by the General Data Protection Regulation (GDPR).
Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO.
Furthermore, the former Article 29 Working Party adopted guidelines on DPOs on 5 April 2017, which have been endorsed by the European Data Protection Board (EDPB). These guidelines contain recommendations for controllers, processors and DPOs to which the National Data Protection Commission (in French “Commission nationale pour la protection des données” or “CNPD”) adheres.
1. In which cases is it mandatory to appoint a DPO?
The designation of a DPO is mandatory in the following three cases:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity ;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Unless it is evident that an organisation is not required to designate a DPO, it is recommended that controllers and processors document the internal analysis carried out to determine whether a DPO is to be appointed.
2. What does “core activities” mean?
The core activities relate to primary activities of the controller or processor and do not relate to the processing of personal data required for ancillary activities. “Core activities” can be considered as the key operations necessary to achieve the controller’s or processor’s goals.
Example: The core activities of a bank require processing of its clients’ financial data. The bank also processes its employees’ personal data for HR purposes, but this is considered an ancillary activity.
3. What does “large scale” mean?
The GDPR does not define the notion of large scale. The guidelines recommend taking into account in particular the following factors:
- the number of data subjects concerned - either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity.
Example of large scale processing: processing of patient data by a hospital (unlike processing of patient data by an individual physician).
4. What does “regular and systematic monitoring” mean?
The GDPR does not define the notion of regular and systematic monitoring of data subjects, but it clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
The monitoring is regular when there is a certain recurrence, frequency or permanence.
The monitoring is systematic when it is methodically organised, pre-arranged or carried out as part of a strategy.
Example: A bank must monitor, regularly and systematically, the evolution of its clients’ accounts and transactions, in particular as part of its obligations relating to the prevention of fraud, money laundering or the financing of terrorism.
5. Is it possible to designate a DPO on a voluntary basis?
Yes, an organisation may designate a DPO on a voluntary basis. In this case, the requirements under Articles 37 to 39 GDPR apply to his or her designation, position and tasks as if the designation had been mandatory. Thus, there is no difference in status between DPOs designated on a mandatory basis and DPOs designated on a voluntary basis.
6. Who may be designated as a DPO?
The DPO may be a staff member (internal DPO) or fulfil the tasks on the basis of a service contract (external DPO).
The DPO must have the required professional qualities, perform his or her tasks in an independent manner and shall not fulfil other tasks and duties that would result in a conflict of interest.
7. What are the required professional qualities?
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.
The GDPR does not define precisely the necessary level of knowledge, but it must be commensurate with the sensitivity, complexity and amount of data that an organisation processes.
Relevant skills and expertise include in particular:
- expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- understanding of the processing operations carried out by the organisation;
- understanding of information technologies and data security;
- knowledge of the business sector and the organisation;
- ability to promote a data protection culture within the organisation.
8. What does “conflict of interests” mean?
The DPO may fulfil other tasks and duties, provided that they do not give rise to a conflict of interests. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes (why?) and the means (how?) of the processing of personal data. This aspect has to be assessed on a case-by-case basis.
Examples of positions that may be considered incompatible with the function of DPO : Senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments), but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. A conflict of interest may arise if a processor is also acting as (external) DPO for the same controller.
9. Must the DPO be approved by the CNPD?
No, the CNPD does not approve DPOs. The controller or the processor shall simply communicate the DPO’s contact details to the CNPD.
However, the CNPD may monitor whether controllers or processors comply with Articles 37 to 39 GDPR regulating the designation, position and tasks of the DPO.
10. What becomes of the “chargé de la protection des données”?
The repealed Amended Act of 2 August 2002 on the protection of persons with regard to the processing of personal data allowed controllers to designate a “chargé de la protection des données” on a voluntary basis. The DPO is the natural successor to the “chargé de la protection des données”, but there are differences regarding the designation, position and tasks.
With the entry into application of the GDPR on 25 May 2018, the function of the “chargé de la protection des données” ended automatically. No actions vis-à-vis the CNPD need to be taken in this respect.
However, the former “chargé de la protection des données” does not automatically take the function of DPO. Controllers and processors shall comply with Articles 37 to 39 GDPR, and, in particular, the requirement to communicate the DPO’s contact details to the CNPD.