The topic of the (mandatory) appointment of a Data Protection Officer (DPO) is particularly relevant as recent decisions have shown that supervisory authorities do not shy away from sanctioning organisations that fail to appoint a DPO or do not meet the DPO requirements of the GDPR. Few months ago, a €25.000 fine was imposed on a company by the Spanish Data Protection Authority (DPA) for failing to comply with the obligation to designate a DPO (though it had established a “Data Protection Committee”) and not making the necessary notification to the DPA on time. A few month before, in Belgium, a €50.000 fine had been given by the Belgian DPA to a telecommunications company for having appointed a DPO with conflicting role : indeed, the DPO’s other position in the company (where he was responsible for the Compliance, Internal Audit and Risk Management departments) required him to make decisions about the purposes and means of processing personal data, by the same token undermining his independence.
The DPO is the person appointed by an organisation, acting as controller and/or processor, who ensures that the latter carries out its processing of personal data in compliance with the applicable data protection rules. His or her tasks are numerous and the main ones are detailed in Article 39(1) of the General Data Protection Regulation (GDPR).
The appointment of a DPO guarantees that the organisation has a high level of data protection compliance, that appropriate security measures are implemented and, most importantly, that the privacy risk - and thus the business risk - is properly managed. These non-negligible benefits for any organisation are a very strong incentive to appoint a DPO on a voluntary basis. However, in some cases, appointing a DPO is not only recommended or advisable, it is mandatory under Article 37(1) of the GDPR:
1) For all public authorities or bodies processing personal data, with the exception of courts acting in their judicial capacity.
The notions of "public authority" or "public body" are not defined in the GDPR. It is therefore necessary to refer to the relevant national laws to interpret these terms. In general, national, regional and local authorities are covered, in practice various types of bodies such municipalities, public hospitals, universities or state schools are also included. The Luxembourg Data Protection Act does not provide for a definition of these concepts, contrary to other Member states that have defined the concept of public authority in their national law when implementing the GDPR (for example, the Belgian Data Protection Act gives a very broad definition).
Additionally, some public tasks may be carried out by organisations which are not public authorities themselves. It is recommended that such organisations also designate a DPO. These services may be, depending on the law of the Member States, public transport, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.
2) Where the core activities of an organisation consists of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale.
Whenever the data processing is an integral part of the organisation's main activities, it is referred to as its "core activities", as opposed to personal data processing operations which would only be an ancillary activity (Recital 97 of the GDPR). Core activities are indeed the essential operations necessary to achieve the objectives of the organisation, whereas supporting activities (payment of salaries, data related to career management) will generally be qualified as auxiliary activities. Thus, more often than not, processing by HR and IT departments will not be part of the core activities of an organisation.
For example, the core activities of a bank require the processing of financial data of clients whereas the core activities of a security company conducting surveillance require the processing of personal information for security reasons. These organisations should therefore appoint a DPO.
The concept of “regular and systematic monitoring of data subjects” is not defined in the GDPR, but Recital 24 refers to “monitoring of the behaviour of data subjects”. This includes all forms of tracking and profiling on the internet, including for the purpose of behavioural advertising. Contrary to what this recital might suggest, however, the monitoring referred to is not limited to the online environment.
According to the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), the term "regular" should be interpreted as reflecting one or more of the following realities:
• continuous or occurring at regular intervals over a period of time
• recurring or occurring at fixed times
• occurring on a constant or periodic basis.
The term "systematic", still according to the WP29, covers one or more of the following meanings:
• occurring in accordance with a system;
• pre-established, organised or methodical;
• taking place as part of a general data collection programme;
• carried out as part of a strategy.
Following these explanations, one example of a regular and systematic monitoring of data subjects is when a bank follows the evolution of the accounts and the transactions of its clients, especially for complying with its obligations to prevent fraud, money-laundering or terrorist financing. It can also encompass loyalty programs, closed-circuit television, connected devices such as smart meters, smart cars or home automation, or marketing agencies that profile and perform marketing automation.
The words “large-scale” can be interpreted in accordance with Recital 91 of the GDPR (on impact assessments). There is currently no universal threshold, in terms of the volume of data processed or the number of data subjects, beyond which processing operations are assumed to be "large-scale", nor is it desirable to have such threshold. Each situation should be analysed to determine whether or not a processing operation is large-scale in the light of the following factors (from the WP29 Data Protection Impact Assessment Guidelines):
• The number of data subjects, if any, in relation to a data subject population;
• The volume of data and the range of different data processed;
• The duration or permanence of the processing activity;
• The geographical distribution/extent of the processing activity.
The WP29 gave, among others, the following examples of processing on a large scale:
• Processing of patient data by a hospital (contrary to processing of patient data by an individual physician);
• Processing of data by an insurance company or a bank;
• Processing of data (content, traffic, location) by telecom or internet service providers.
3) Where the core activities of an organisation consist of large-scale processing of categories of data referred to in Articles 9 and 10 of the GDPR.
Although the official wording of Article 37(1)(c) of the GDPR includes the word "and", it should actually read "or". Therefore, the processing of either "sensitive" data (Article 9) or "judicial" data (Article 10) is sufficient to trigger the mandatory appointment of the DPO. Hence, as by nature a hospital processes genetic data, hospitals must as a rule designate a DPO.
4) Where an organisation, acting as a controller, is processing personal data for scientific or historical research purposes or statistical purposes.
The appointment of a DPO is described, in Article 65(1) of the Luxembourg Data Protection Act, as an appropriate safeguard under Luxembourg law, pursuant to Article 89 of the GDPR. Therefore, organisations carrying such kinds of processing activities must appoint a DPO unless, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, it is not deemed necessary. However, for each project for scientific or historical research purposes or statistical purposes, the controller must document and justify any exclusion of one or several of the measures listed in this article, including the appointment of a DPO. Article 64 provides that the same rules apply to processing of special categories of personal data by an organisation for the purposes defined in Article 9(2)(j) GDPR (i.e. processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).
This last scenario is the only additional scenario where the appointment of a DPO is mandatory under Luxembourg law. In Luxembourg's neighbouring countries, such as Belgium or Germany, more additional cases in which an obligation to appoint a DPO applies are provided for by national laws.
In a more general sense, except where it is clear that the organisation does not have an obligation to appoint a DPO, it is recommended that the organisation, in order to comply with the accountability principle of the GDPR, documents the internal analysis leading to the conclusion of whether or not there is an obligation to appoint a DPO and the factors that played a part in this review. This documentation should of course be kept up to date: it is possible that the obligation to appoint a DPO is triggered by a change in the organisation's activity or by the development of a new activity.
It is highly encouraged to appoint a DPO as a matter of good practice and to demonstrate compliance. However, it must be pointed out that if an organisation chooses to appoint a DPO voluntarily, it must still comply with the full range of DPO requirements in the GDPR (independence, no conflict of interest, DPO qualifications…).
Chosen on the basis of his or her specialised knowledge of the law and practices in this field, the DPO can either be internal (i.e. part of the organisation's staff) or external (performing his or her tasks on the basis of a service contract). There are several risks in appointing one of the organisation's employees and several advantages in choosing an external DPO. For more information, CRANIUM has dedicated a blogpost on this topic: here.
It also is important to remember that the contact details of the DPO must be published and communicated to the competent supervisory authority. In Luxembourg, a form exists, which should be completed, signed and then sent to the National Data Protection Commission (CNPD) at the following email address: [email protected].
Does your organisation meet the above-mentioned criteria and needs to appoint a DPO? Do not hesitate to contact us : [email protected]