Everything you've ever wanted to know about DPO but never dared to ask
As the entry into force of the General Data Protection Regulation (GDPR) approaches, more and more companies are assessing whether they need to designate a Data Protection Officer (DPO) and, at times, may be struggling to understand how the provisions on the DPO will apply to them.
This blog post will not cover the general provisions on DPO under articles 37 to 39 of the GDPR. For a general overview of what the GDPR requires, please read our previous blog post on the topic (click here). Instead, this article answers some of the more difficult questions that you may be asking but have never dared to ask.
1. Does the requirement to designate a DPO apply both to controllers and processors?
Yes. For processors, it is one of many direct obligations in the GDPR. Processors will need to check their own compliance programmes are in order. There is potential for overlap or conflict where a processor with a DPO will be processing on behalf of a controller with a DPO. The Working Party 29 (WP29) guidance simply states that they "should then cooperate with each other".
2. Must organizations outside the EU designate a DPO?
Organizations with no establishments in the EU will need to assess first whether article 3 on the territorial scope of the GDPR applies to them, particularly if they are offering goods or services directly to individuals in the EU, or monitoring their behaviour, in which case the GDPR will apply to them and, as a result, they may need to designate a DPO to the extent the conditions set out under article 37 also apply to them.
3. Are there exceptions to designating a DPO for SME?
No. In earlier drafts of the GDPR, the requirement would apply only to businesses with 250 or more employees or processing 5,000 data records. These prescriptive limits were dropped in the final adopted version. The requirement to designate a DPO is dependent only on the activities of the organisation.
4. For a group of companies, can a single DPO be designated?
Yes, the GDPR allows groups of companies to designate a single DPO, as long as they are "easily accessible" from each establishment of the group. The WP29 interprets this as meaning the DPO must publish their contact details and be in a position to efficiently communicate in the language(s) of the Supervisory Authority and data subjects concerned.
5. Must a DPO be located in the EU?
In general, the WP29 recommends that the DPO should be located within the EU, whether or not an enterprise is established in the EU. However, it goes on to state that where the controller or processor has no establishment within the EU, "the DPO may be able to carry out his or her activities more effectively if located outside the EU". The WP29 seems to have a preference for DPOs who are located in the EU for purposes of accessibility with the data subjects and the DPAs, but in practise, multinational organizations who have their headquarters outside the EU should be able to designate a DPO who is not physically established in the EU.
6. Can a DPO be designated for a specific processing activity or must it be designated for an organization's entire processing activities?
According to the WP29 guidance, a DPO is designated for all the processing activities that are carried out by an organization. It is therefore not possible to limit the scope of a DPO's duties to certain processing activities.
7. Can a DPO be held personally liable for an organisation's non-compliance with the GDPR?
No, article 38(3) of the GDPR says that DPOs should "not be dismissed or penalised by the controller or the processor for performing his tasks". This does not mean, however, that a DPO cannot be dismissed or replaced, simply not for performing his tasks. This is explained by the fact that DPOs should act independently without receiving any instructions regarding the exercise of their tasks. However, DPOs may be sanctioned on other legal grounds, such as labour or criminal law, just like any other employee within the organization.
8. Does the DPO have an obligation to report any potential violations to the supervisory authority?
No. The DPO is not obliged to whistleblow and responsibility ultimately rests with the controller or processor. However, the WP29 guidance states that the DPO's obligation of secrecy and confidentiality does not prohibit a DPO from contacting and seeking advice from the supervisory authority and encourages DPOs to contact their supervisory authorities on any matter, where appropriate.
9. Are there any formalities for designating a DPO?
Unlike the Directive 95/46/EC which speaks of "appointing" a DPO, the GDPR uses the term "designate" which implies that there are no legal formalities required when designating a DPO, such as submitting a formal notification or appointment form to the supervisory authorities (which is currently the case in France, for example). Nonetheless, article 37(7) does require companies to communicate the contact details of their DPO to the supervisory authorities but it is unclear in what form this must be carried out and the WP29 guidance remains silent on this point. National laws may impose additional requirements on organizations when designating a DPO, such as notifying the employee representative bodies.
10. Are there additional requirements that apply to to DPOs under national law?
Yes, specific requirements may apply to DPOs under national laws in some Member States, such as France or Germany. Germany has recently amended its Federal Data Protection Act and has kept the obligation to appoint a DPO in companies that have at least 10 employees who are permanently engaged in the automated processing of personal data.
For more information, Fieldfisher and DataGuidance have combined their efforts to prepare the most comprehensive FAQ on the topic of DPO which is available on DataGuidance's website.
DataGuidance has also recently organised a webinar on the topic of DPO. A recording of the webinar is available via this link: https://vimeo.com/242778063