A data protection officer helps the company comply with data protection—the DPO monitor and review their organisation’s compliance with applicable legislation, regulation, and standards. Appointing a DPO is often mandatory for both controllers and processors. The GDPR sets strict requirements for the competence, tasks and independence of the role. This article explains what a DPO is, what competencies the person filling the role must have, when to appoint a one, the position of the DPO and what tasks the DPO have. Reading time: 12 minutes.
The purpose of the data protection officer
The purpose of the role is to provide the organisation with the capabilities to use personal data in accordance with laws and regulations and the expectations of individuals. A successful DPO can create a balance between compliance and business innovation while managing risks.
The role of the DPO is regulated by Articles 37-39 of the GDPR. In general, the role shall advise and inform their organisation of applicable legislation and standards, advise on risk assessments and DPIAs and act as a liaison to the supervisory authority and data subjects.
Data protection officer competencies
You should appoint a DPO based on professional qualities and expert knowledge. The DPO competencies and responsibilities include in-depth knowledge about the organisation. Below, we go through what to consider when you consider what profile you need to appoint as a DPO.
The level of requirements may depend on the complexity of your organisation’s business
The company’s processing activities determine what expertise the DPO needs. Aspects to consider are, e.g. complexity, scale, and the nature of personal data. If the IT systems are complex or transfer data to third countries outside of the EU/EAA may occur, you need to consider this. So, certain DPO’s will need to have more technical or legal know-how than others. The more complex the area of processing is, the stricter the requirements on the DPO.
Do your legitimate interest assessments stand up to scrutiny?
Connect with leading experts to secure your documentation before an audit. Ask for a second opinion from our experts. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
Expertise and skills of the DPO
The DPO must demonstrate “expertise in national and European data protection law”. Article 37(5) provides that the role “shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. Guidance on determining what level of expertise is required is found in GDPR recital 97: “the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed”.
The level of expertise must be in proportion to the complexity and sensitivity of the organisation’s personal data. A higher level of knowledge is required for complex processing of health data or online profiling, compared to processing HR data for standard operations.
The Guidelines on Data Protection Officers (DPOs) sets out that the role shall have expertise in national and EU data protection laws and practices and an in-depth understanding of the practicalities of the GDPR.
The DPO must also have in-depth knowledge and experience with the relevant business sector and the organisation’s objectives. The DPO should also come to learn to understand the organisation’s processing activities and the systems used. A DPO for a public authority must, in addition to the above, possess knowledge of applicable administrative rules and procedures.
Personal qualities of the DPO
The DPO must be able to fulfil its duties. Personal qualities shall include integrity and high professional ethics, and the DPO’s primary objective is to enable compliance with the GDPR.
The DPO is a leader in their organisation to develop privacy leadership and culture to help the organisation to implement the essential elements for compliance:
- Principles of data processing
- Data subject rights
- Data protection by design and by default
- Record of processing activities
- Security of processing and
- Notification and communication of data breaches.
When to appoint a DPO
There are clear rules for when an organisation must appoint a data protection officer:
- public authority or body; or
- the core activities include large-scale regular and systematic monitoring of individuals; or
- the core activities consist of large-scale processing of special categories of data, or
- personal data relating to criminal convictions and offences.
The duty to appoint a DPO applies both to organisations acting as controllers and as processors.
Always mandatory for a public authority or body
If your organisation is a public authority or body, it is mandatory to appoint a DPO. Courts acting in their judicial capacity are excepted from the requirement. What a public authority or body is, or is not, is determined by national law. It can be natural or legal persons who are governed by public or private law. One example of this would be public transport services.
Mandatory if the core activities include large-scale use of personal data
Core activities are the company’s primary business activities. This means that if you need to process personal data to fulfil your key goals, this is a core activity. For example, profiling your customers or website visitors will fall under this category.
This is distinguished from processing data with other secondary purposes (e.g., for HR or to pay salaries). For example, hospitals would need to appoint a DPO. This is due to their large-scale processing of extra sensitive data.
Mandatory in case of large-scale regular and systematic monitoring
It is not possible to give a precise number of individuals to be concerned to be “large scale”. It is, however, possible to single out some relevant factors. The number of data subjects involved, the volume of data and the geographical extent are examples of relevant factors.
Regular and systematic monitoring includes all forms of tracking and profiling online. One example is processing data for the sake of behavioural advertising. Monitoring is not limited to the online environment and includes offline activities as well.
Mandatory in case of use of special categories of data
Special categories of data are types of personal data that are likely to be extra sensitive. Therefore, they are provided extra protection such as personal data revealing racial or ethnic origin, or medical and health data. For a more comprehensive explanation, read our article on Extra Sensitive Data.
Voluntary appointment of a DPO
Companies that are not required to appoint a data protection officer may still choose to do so. By doing this, they can improve their data protection standards. The use of a DPO is also a method for ensuring good communication with supervisory authorities and data subjects. Additionally, it is a way to ensure compliance and show a will to improve your privacy routines and data protection.
If the supervisory authority is considering imposing a fine, having a DPO could be accounted for in your favour. However, it is essential to note that appointing a data protection officer means that the same duties and responsibilities apply had you been required to select one. You must support your DPO to the same standards.
Report the DPO appointment to the supervisory authorities
Make sure to report the appointment of a data protection officer to the concerned supervisory authorities. Some national laws require the organisation to register and pay a registration fee (note the UK), failure to pay such fee is subject to a fine.
Not appointing a DPO may result in fines
If the company does not appoint a data protection officer, documentation of the decision is required with legal reasoning as to why it waived.
In one case, an Austrian company in the medical sector did not appoint a DPO. Their core activities included large-scale processing of medical data. They were given a (none-final) fine of 50,000 EUR by the Austrian supervisory authority in 2018 (you can read the decision in German here).
Outsourcing the Data Protection Officer
The DPO’s role can be fulfilled by an internal function or by an external consultancy from under a service contract. The assignment does not have to be full-time, but what is required for the organisation to comply with the GDPR and for the data protection officer to have sufficient time and resources to carry out their assignment well.
The exact requirements apply concerning competencies, skills and independence. Individual skills can be combined in the consultancy organisation so that several individuals carrying out the DPO function as a team may work together. If an organisation is designated as DPO, it is recommended that a lead consultant be named in the service agreement.
Position of the data protection officer
The DPO role can be fulfilled by an internal function or based on a service contract. Irrespectively how the position is filled, the DPO shall sit within the organisation, making it possible to perform their duties.
The DPO shall be involved in all issues related to the protection of data
In all things relating to data protection, you must consult the DPO at the earliest stage possible. Article 38 of the GDPR provides that the controller and the processor shall ensure that the DPO be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
Organise the work of the organisation to ensure, for example, that:
• The DPO is involved and invited to regular meetings with senior and middle management;
• DPO’s presence is recommended where decisions influencing the use and protection of personal data are taken. Materials shall be shared with the DPO on time;
• DPO’s opinion must always be considered and valued. In the case of the senior management’s disagreement with the DPO’s opinion, the EU expert group on GDPR recommends documenting the reasons for not following the DPO’s advice.
• The DPO must be promptly consulted once a data breach or an incident has occurred.
The DPO shall have the necessary resources
The DPO shall have the necessary resources to carry out its tasks and duties, Article 38(2) GDPR. The following aspects are considered to fulfil this requirement:
• Active support of the DPO function by senior management, including board level;
• Sufficient time for DPO to complete their tasks and duties is critical when the DPO is a part-time commitment.
• Adequate support in terms of financial resources (own budget), infrastructure and staff;
• Official communication of the appointed as DPO;
• Access to other services within the organisation as appropriate, ability to retain own legal advice, IT, security, etc.;
• Receive continuous training; and
• Ability to train and employ their staff or expand the DPO team if necessary.
Independence of the DPO
The data protection officer must carry out their duties without interference Article 38(3). Therefore, you cannot instruct the DPO on how to deal with a specific matter. Although the DPO must be autonomous, its power does not extend beyond Article 39 GDPR.
If you do not follow the DPO’s advice, the DPO can show its dissent to the decision-makers. The ultimate responsibility lies with the controller or processor.
The autonomy of DPOs does not mean that the role have decision-making powers extending beyond their tasks according to Article 39.
The DPO’s independence does not mean that the DPO is responsible or liable for any fault of their organisation, implementing the DPO’s opinion or recommendations.
The company should not dismiss or penalise the DPO for performing their duties. This includes direct or indirect penalties and threats of any such corrections. It does not hinder the lawful dismissal of a DPO on other grounds than their work as in this role. In reality, such dismissals will be more challenging to carry out due to the risk of looking like a reprisal.
Freedom from Conflict of interest
The data protection officer must not have any conflicts of interest that may hinder the DPO from fulfilling its tasks and duties. The DPO can have other responsibilities for the organisation, but certain positions are not suitable as they are considered conflicting with the DPO role. As a rule of thumb, senior management positions, such as CEO, CFO, or head of marketing, HR, or IT, could be unsuitable. Functions lower down in the organisation could also be inappropriate in they influence how personal data is used or protected. Conflict of interest is considered a severe violation of the GDPR and is often fined by the supervisory authorities.
Learn more about the conflicting roles in the DPO organisation in our in-depth article DPO Conflict of Interest.
Tasks of the DPOs
The role of the data protection officer is defined by Article 37-39 of the GDPR. The DPO shall:
• monitoring compliance with the GDPR by providing advice and inform the organisation of the applicable EU and national laws, regulations and standards;
• advise on data protection impact assessments (DPIAs); and
• act as the liaison to the supervisory authority and data subjects.
The expert group providing guidance on GDPR and data protection legislation have issues Guidelines on the requirements of data protection officers that offers more details on the various conditions.
The DPO is not personally responsible for non-compliance
Data protection compliance is a corporate responsibility of the organisation, not a single function as the DPO. The DPO is never personally liable if their organisation would violate the GDPR. It is always the organisation and its senior management responsible for implementing the DPO’s advice to achieve compliance with data protection law. They must be able to demonstrate compliance.
The GDPR makes it clear that it is the controller, not the DPO, who is required to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” (Article 24(1) GDPR).
Note, however, that the DPO can be liable for serious negligence in performing its duties and tasks from an employment law perspective (if an internal employee) or from a professional liability perspective (in case of outsourcing the this function). This type of liability would presuppose serious malpractice and disregard for performing the tasks, which is another matter than the situation described above.
A DPO must advise and inform the organisation of applicable EU and national laws, regulations and standards. The DPO monitor compliance with applicable data protection law and internal policies. This includes the assignment of responsibilities and awareness-raising. Training of staff that are involved in processing activities is also vital. Furthermore, the DPO must be consulted about any other matter where it is appropriate. If a matter might concern data protection, the DPO should be involved, at least in assuring the quality of the process itself.
Article 39(2) GDPR requires the DPO to “have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing” – the so-called risk-based approach. It requires the DPO to prioritise their focus on issues that present higher data protection risks. It is essential guidance when conducting the annual data protection compliance audit, or DPIAs.
Risk Assessments and DPIAs
It is also within the data protection officer’s duties to advise on data protection impact assessments, so-called DPIAs. The DPO also monitors the performance of the DPIA. As a result, they will help decide when to conduct a DPIA and assess the risks. The DPO will also advise on whether the company’s conclusions are in line with the GDPR.
An organisation can choose to ignore the advice given by a data protection officer. If they decide to do so, they must specify, in writing, why they did so.
It is not enough that the DPO is merely informed about the DPIA. The person acting in the role must have a real influence on the risk assessment. In one case from 2020, a Belgian company did not involve their DPO in a DPIA and were fined 50,000 EUR by the Belgian supervisory authority (read the entire decision here in Dutch).
Communication with the supervisory authority
A DPO also acts as the liaison to the supervisory authority and data subjects. This means that they handle the communication with the relevant supervisory authority. This applies especially when the supervisory authority is exercising their investigative, corrective and powers. When you appoint a data protection officer, you must always notify the relevant supervisory authority. You must also provide them with the contact information of your DPO.
Publication of the DPO’s contact information
It is also essential to provide data subjects (inside and outside your organisation) and others with the contact information to your DPO. The role is supposed to act as a single contact point for data subjects. The communication must take place in a language used by the data subjects concerned.
Article 37(7) of the GDPR requires the organisation to:
• publish the contact details of the DPO and
• communicate the contact details to the relevant supervisory authorities.
The contact details of the DPO should include information such as:
• a postal address;
• a dedicated telephone number;
• a dedicated e-mail address; and as appropriate
• a dedicated hot-line or contact form to the DPO on the organisation’s website.
Publishing the name of the role is considered good practice. Still, it is not strictly necessary to publish to the general public due to security reasons or other legitimate reasons the organisation may have. The supervisory authority and internal employees should nevertheless always know the name of the DPO.
A German subsidiary company had appointed a DPO but not reported it to the supervisory authority. (The DPO was a part of their parent company located in Ireland, and it had only been reported there.) The supervisory authority gave them a fine of 51,000 EUR. The authority expressly stated that the penalty was to be seen as a warning to all companies. Companies must seriously take the GDPR, even regarding minor infractions (read the decision here, on pages 55–57 in German).
A Spanish company did not provide the contact information of their DPO and was fined 25,000 EUR by the Spanish supervisory authority (read the decision here in Spanish). The company had also not appointed this role to whom requests from data subjects could be addressed. They had instead used a data protection committee. This was, according to the supervisory authority, not sufficient.