The Data Protection Officer (DPO) is a role recognized in the new European Data Protection Regulation - Regulation (EU) 2016/679 - which came into force last May 2016.
The controllers and processors will nominate this person, who will perform several functions related to the processing of personal data.
In this post we will explain under what circumstances companies are required to incorporate a data protection officer.
This post is also available in Spanish.
When is it necessary to incorporate a Data Protection Officer in a company?
Although the Regulation recognizes this role, it does not define it. What the Regulation does indicate is when the designation of this role is necessary and under what circumstances. It also it establishes certain distinctive knowledge and abilities that this person should possess.
Thus, Article 37 of the Regulation provides that “the controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- he core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
What is the difference between a controller and a processor?
Given the definitions in Article 4 of the Regulation:
(7)”controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
(8) “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
Inaccuracies of Article 37 of the new Data Protection Regulation
One of the inaccuracies of the new regulation, observed in the aforementioned Article 37, would be the definition of what is meant by “regular and systematic monitoring”, while another would be the definition of the term “on a large scale”.
> What is meant by "regular and systematic monitoring"?
From a legal point of view you would need to define what "regular and systematic monitoring" means, because this expression raises many questions. For example, could a company's data treatment regarding its employee data to carry out the payroll, regardless of the number of employees, be considered regular and systematic - if this payroll is carried out once a month? Certainly, it could be considered regular (every month) and systematic (it always follows the same system). However, it would not be in principle the company’s main activity, so the application of the term "regular and systematic monitoring" would be dismissed, as well as the necessity to designate a DPO.
But then, can the treatment of user data by the mobile application, mentioned above, be considered systematic and regular? By performing the same analysis as before, understanding "regular" as something that happens on a regular basis, and "systematic" as something that follows a methodology or system, we should say that such data treatment by the app is both regular and systematic. And this would definitely be the main activity of the company that owns the app, as a service through this app is offered and user data are collected precisely to offer that service.
However, as stated in Article 37 1.b, the requirement of a "regular and systematic monitoring" is conditioned to the fact that such treatment is "on a large scale". So in the example above, it would no longer be so clear that the conditions necessary for needing a DPO within a company were met.
> What is mean by data treatment "on a large scale"?
In order to understand what is meant by treatment "on a large-scale" we recommend to note Recital 91 of the Regulation, which states the following ideas and situations, for which the Regulation also recommends to complete a data protection impact assessment of the project:
- "Large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights."
- "Cases in which personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures."
- "For monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale."
- "The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory."
Consequently, a data protection officer will be necessary when the responsible data controller perform a data processing on a large scale, in the sense indicated in the previous point, and it does so in an orderly, systematic and regular way.
> What is meant by "considerable amount of personal data" and "large number of data subjects"?
From a legal standpoint, other inaccuracies would be the expressions "considerable amount of personal data" and "a large number of data subjects".
Thus, in the text of the proposed Regulation it was determined that when personal data of more than 5,000 individuals were collected and treated, steadily within a year, incorporating a DPO could be considered.
Therefore, from a legal point of view, these figures would have to be considered as the benchmark that establishes a "considerable amount of data" or "a large number of data subjects". However, the new regulation does not specify this consideration, so we will have to wait for the national laws and/or the criteria of European authorities to evolve, to see if they clarify themselves.
Despite everything said up to this point, it is likely that all of these uncertainties are put into context over time, either because they will be more precisely defined by national laws, if necessary, to supplement this European Regulation; or because the European data protection authorities, or the Article 29 Working Party, will decide on the matter.
Cases in which incorporating a DPO is recommended, but not mandatory
Additionally, the regulation indicates other cases where incorporating a DPO is not mandatory, but is advisable. These cases are:
- When there is legal complexity in data processing;
- To better inform stakeholders about their rights and methods of protecting their data;
- In order to ensure the privacy of customers or users, and also to prevent incurring penalties.
Another question that arises is whether a Data Protection Officer will be required for enterprises with less than 250 employees, since the purpose of the Regulation is to take into account small and medium-sized companies (Recital 13), in order not to give them any more obligations, in principle, than they could assume. It is understood that this will also depend on the complexity of the company and on the category and volume of data it processes. We will have to see how this idea evolves over time.
The Regulation also states that a company or business group may appoint a single data protection officer, whenever he/she is easily accessible from each establishment the company or business group has.
Additionally, the Regulation also states that when the controller or processor is an authority or public body, a single data protection officer for several of such authorities or bodies can be designated, taking into account its organizational structure and size.
In the next post we will discuss the tasks of a DPO, the requirements a person must meet to become this professional, and from what point in time it will be mandatory to include this role in your company.
This post is also available in Spanish.
This is a guest post by Vanesa Alarcón Caparrós.
This is a guest post by Vanesa Alarcón Caparrós.
- Essential guide to Europe's new Data Protection Regulation.
- What impact has the new EU Data Protection Regulation had on biometric data?
- 8 essential processes and tools for any compliance officer.