When is a Data Protection Officer really required?

June 7, 2018

The General Data Protection Regulation describes a number of roles in the data processing process, including the role of Data Protection Officer. The Data Protection Officer is also referred to as the DPO. A DPO is an internal or external supervisor of compliance with the privacy ordinance within an organisation. This blog post addresses the question of when the GDPR really does require a DPO.

From choice to obligation

The General Data Protection Regulation (GDPR) includes the appointment of a DPO as a can-do provision. A can-do provision means that there is freedom of choice about its application. The privacy ordinance partly deprives organisations of the possibility to make their own choice and makes the appointment of a DPO mandatory in three cases.

The obligation applies to specific organisations or when a certain type of processing of personal data is carried out:

1. Public organisations/bodies with the exception of courts acting in their judicial role;

2. Organisations principally concerned with processing operations which, by their nature, size and/or purposes, require regular and systematic large-scale observation of data subjects;

The working group of European privacy regulators (WP29) adds colour to the elements 'observation' and 'regular' in their Guidelines on Data Protection Officers (April 2017). An observation is qualified as 'regular' if it is observed in one or more of the following ways:

  • Continually or for a specified period of time, at specified intervals;
  • Returned or repeated at fixed times;
  • Constant or periodic.

Systematic' observation takes place on the basis of a system and is prearranged, organised or systematic. In determining whether there is 'large-scale processing', four factors must be taken into account:

  • The number of persons involved (figures or a percentage)
  • The amount of data and/or the amount of different data processed.
  • The duration or permanence of the data processing.
  • The geographical scope of the processing.

In the future, a standard may be developed for a more precise determination of what large-scale processing is.

3. If one of the core activities of an organisation is the large-scale processing of (special) personal data or data relating to criminal convictions and offences.

According to the WP29, an organisation's core activities include processes that are essential to achieving the organisation's objectives or that are part of the organisation's main tasks. It is striking that the privacy ordinance does not link numerical criteria to the appointment of a DPO. The size of the company or the number of employees of an institution is independent of any obligation to appoint a DPO. However, having to appoint a DPO to organisations with 250 or more employees is a persistent rumour. Further European or national legislation may require an increase in the number of compulsory appointments: Please check if your home country or country of residence has passed stricter legislation. In Germany, for example, the legislation requires almost every organization to appoint a DPO.

Use of voluntary appointment of a DPO

If an organization is not obliged by the privacy regulation to appoint a DPO, an organization may still do so voluntarily. The WP29 encourages voluntary appointment. Please note, voluntary does not mean non-committal. A DPO that has not been appointed on the basis of an obligation must adhere to the same rules and frameworks as a DPO that has been appointed on the basis of an obligation.

Having an in-house DPO can bring various advantages to an organisation, such as

  • The DPO can act as an independent supervisory authority for compliance with the privacy ordinance and as a direct point of contact for the supervisory authority;
  • The DPO can be a point of contact for data subjects in exercising their rights vis-à-vis the controller;
  • The DPO can act as an intermediary with different stakeholders;
  • The DPO can play a supporting role in carrying out (Data) Privacy Impact Assessment (D)PIA and advise on the risks of data processing;
  • When carrying out an audit or demonstrating a level of accountability, a DPO can take tasks off an organisation.

Read more about the Privacy Heroes of Privacy Company.