DPOs and the GDPR: Part 2 - Appointing a DPO
10 January 2017
In its newly published opinion, the Article 29 Working Party (WP29) provides some useful input into discussion on the nature of the role of data protection officers (DPOs) under the GDPR. This is a question which many organisations have been grappling with, as they assess who should take on this role.
The WP29 considers the qualifications required for this position and other issues such as conditions for appointment of a single DPO for a group of undertakings, conflict of interest and ability to dismiss a DPO. The approach of WP29 to some of these issues may not seem very business-friendly at times, but we believe that there is still sufficient room for reasonable interpretation of the relevant provisions.
Who should I choose?
The basic requirements for a DPO are set out in the GDPR at Articles 37 and 38. Organisations should select their DPO based on professional knowledge, expert knowledge of data protection laws and practices (determined according to the processing operations carried out), and the ability to perform tasks such as advising the controller or processor of their data protection obligations and monitoring compliance. They need not necessarily be an employee but could fulfil the role under a service contract.
The DPO must be able to act independently of the organisation, be involved in all relevant issues in a timely manner, and report directly to the highest management level. They can have other duties as long as they don’t conflict. The GDPR also requires the DPO to be provided with the necessary resources to carry out their tasks and maintain their knowledge.
The guidance both reaffirms these provisions and gives organisations practical guidance on how they can appoint a DPO in accordance with the spirit of the GDPR. It stresses the key role of the DPO in fostering a data protection culture and implementing essential elements of the GDPR (such as recording processing activities). It also sets out examples of how to involve DPOs to achieve this, such as provision of information, inclusion in management meetings.
The WP29 states that a higher level of expertise on the part of the DPO is required where data processing activity is particularly complex or involves a large amount of sensitive data. The knowledge requirement extends to both data protection law and the internal structure and processes of the organisation itself, and the DPO should also play a role in promoting a culture that complies with key GDPR concepts such as privacy by design.
To back this up the DPO will require sufficient resources and the guidance elaborates on what this means. Examples include senior management support, sufficient time and resources (financial, infrastructure and support services) and possibly a team. It also considers the requirement to act independently which means not being told how to deal with a matter, but equally not having powers beyond the scope of their DPO role.
These strict and fairly onerous requirements may, in some cases, mean that existing data protection officers will not be suitable for the role (or may not feel comfortable with the responsibilities of the position) once the GDPR applies. Organisations need to assess who the appropriate person might be.
When can a single DPO be appointed for multiple organisations?
One feature of DPOs under the GDPR that could significantly decrease the administrative burden on multinational companies is a possibility to appoint a single DPO for a group of undertakings. The GDPR stipulates that this is only possible if the DPO is “easily accessible from each establishment”.
According to WP29, an easily accessible DPO must efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that the DPO’s contact details must be available and they must be able to communicate in the appropriate language. Given this, it is clear that any DPO appointed to perform this role in a large number of jurisdictions will need to be provided with sufficient support and resources to be able effectively to communicate in all relevant languages.
The WP29 also states that a DPO should be personally available to all relevant employees, meaning either physically on the same premises as employees or via a hotline or other secure means of communication. It is therefore questionable whether a group of undertakings of a certain size will be able to manage with just one DPO.
Despite the obligation of personal availability stressed by the WP29, there should, in our view, be a possibility for a group of undertakings to have a single DPO in charge of several companies. The DPO would be supported by a team, but would have ultimate responsibility for the decisions and recommendations provided by such a team. This point is not expressly addressed in the WP29 guidance.
It is also possible to use an external DPO (which may be an individual or a company). One member of the external DPO’s team should then be designated as a contact person. Care will need to be taken with the service contract.
What rights and liabilities does a DPO have?
The guidelines provide quite detailed analysis of the GDPR provisions stipulating the rights and liabilities of the DPO. There are three particular issues worth highlighting:
No personal liability
The WP29 first of all states very clearly that DPOs shall not be responsible in case of non-compliance with the GDPR. Only controllers and processors have their own obligations under the GDPR, not the DPO.
This being said, external DPOs may nonetheless assume contractual liability towards the controllers or processors who appointed them.
Conflict of interest
The GDPR allows DPOs to perform other duties in addition to the role of a DPO, but only to the extent that this does not give rise to a conflict of interest. This rule is interpreted by the WP29 in such a way that the DPO cannot hold a position within the organisation that would give him a power to determine the purposes and the means of the processing of personal data. The specific structure of the organisation will need to be looked at but alarm bells might ring where senior management positions are considered for DPO (e.g. CFO, Head of Marketing).
Dismissal of a DPO
The independence of a DPO is one of the key features. This principle is reflected in Article 38(3) of the GDPR, which stipulates that a DPO shall not be dismissed or penalised for performing his tasks. It is common, in countries which already have a DPO requirement, to see this type of protection in relation to the performance of the employee’s role, allowing them to exercise their duties.
The WP29 emphasises that a DPO may only be penalised or dismissed for reasons unrelated to carrying out his or her duties. The example given is that the DPO cannot be dismissed for providing advice which the company (as data controller) disagrees with. Penalties could be indirect (such as delay of promotion). The examples given of misconduct entitling a company to terminate the employment or a service contract with a DPO include theft, physical, psychological or sexual harassment or similar gross misconduct. However, while the guidance does not spell it out, it must follow that a DPO could also be dismissed for poor performance (as opposed to providing advice the company does not like) given the strict requirements a DPO must meet.
Employment laws of the relevant Member States will also have to be taken into account.
The WP29 has invited stakeholders to comment on the guidance it has released until the end of January 2017 so we may see further iterations based on that feedback.