The appointment of the DPO is required by the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”).
1. In which case is the appointment of a DPO mandatory?
The designation of a DPO is mandatory when:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist on a large scale of special categories of data, such as sensitive data or data relating to criminal convictions and offences.
The first drafts of the GDPR provided that a DPO had to be appointed in companies with minimum 250 employees. The final text of the Regulation does no long contain this requirement. This is rather positive since the number of employees in a company has nothing to do with the processing of personal information that can be carried out in a company. The appointment of a DPO solely depends on the activities of the company in question.
In a group of companies, it is also possible to appoint a single DPO on the condition that the DPO is easily accessible from each establishment. The DPO may be a staff member or employee of the controller or processor, or he can be an external service provider (based on a service contract). His contact details have to be published and communicated to the privacy commission (the supervisory authority).
2. The appointment of a DPO can also be useful
Even if the appointment of a DPO is not mandatory, companies can choose to appoint one anyway.
It can even be recommended since the DPO is the point of contact for the privacy commission and for the data subjects in regard to the procession of personal information within the company. The DPO will supervise and will be involved in all matters of the company relating to the processing of personal information.
A DPO can also fulfill other assignments within the company. It is not necessary that his mission is limited to tasks regarding the processing of personal information.
3. The position of the DPO
The controller and the processor have to ensure that the DPO is involved properly and in a
timely manner, in all issues which relate to the protection of personal data.
The controller and processor shall support the DPO in the performance of his tasks. The controller and the processor have to provide the resources necessary to carry out those tasks and access to personal data and processing activities, and to maintain his expert knowledge.
Data subjects may contact the DPO with regard to all issues related to the processing of their personal data and to exercise of their rights under the GDPR.
The DPO shall be bound by secrecy or confidentiality concerning the performance of his tasks. As stated before, the DPO may fulfill other tasks and duties, but the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Finally it is very important to note that the controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks. He shall not be dismissed or penalized by the controller or processor for carrying out his tasks and he shall directly report to the highest management level of the controller or the processor in order to guarantee that the obligations concerning the processing of personal information are protected and followed.
4. Tasks of the DPO
Pursuant to the GDPR, the DPO is charged with different tasks.
He has to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and other data protection provisions.
The DPO has to ensure the monitoring compliance with the GDPR or other data protection provisions and with the policies of the controller or the processor in relation to their protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
The DPO also has to provide advice where requested as regards the data protection impact assessment and monitor its performance.
It is of course required that the DPO cooperates with the privacy commission. In this regard, the DPO has to act as the contact point on issues relating to processing.
The GDPR stipulates that the DPO shall in the performance of his tasks have due regard to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of processing.
As from 25 May 2018, companies who meet the criteria shall have to designate a DPO.
On the other hand, companies who are not required to designate a DPO should still take it into consideration.
The position of the DPO entails that he operates independently from the company where he is designated. He has to guard that the processing of personal data is carried out correctly, and he has to intervene if this would not be the case.
It is fair to say that the DPO has an important role to play. Companies who are required to designate a DPO should not wait until the GDRP is applicable to appoint one.