The General Data Protection Regulation describes a number of roles in the data processing process, including the role of Data Protection Officer. The Data Protection Officer is also referred to as the DPO. A DPO is an internal or external supervisor of compliance with the privacy ordinance within an organisation. This blog post addresses the question of when the GDPR really does require a DPO.
The General Data Protection Regulation (GDPR) includes the appointment of a DPO as a can-do provision. A can-do provision means that there is freedom of choice about its application. The privacy ordinance partly deprives organisations of the possibility to make their own choice and makes the appointment of a DPO mandatory in three cases.
The obligation applies to specific organisations or when a certain type of processing of personal data is carried out:
1. Public organisations/bodies with the exception of courts acting in their judicial role;
2. Organisations principally concerned with processing operations which, by their nature, size and/or purposes, require regular and systematic large-scale observation of data subjects;
The working group of European privacy regulators (WP29) adds colour to the elements 'observation' and 'regular' in their Guidelines on Data Protection Officers (April 2017). An observation is qualified as 'regular' if it is observed in one or more of the following ways:
Systematic' observation takes place on the basis of a system and is prearranged, organised or systematic. In determining whether there is 'large-scale processing', four factors must be taken into account:
In the future, a standard may be developed for a more precise determination of what large-scale processing is.
3. If one of the core activities of an organisation is the large-scale processing of (special) personal data or data relating to criminal convictions and offences.
According to the WP29, an organisation's core activities include processes that are essential to achieving the organisation's objectives or that are part of the organisation's main tasks. It is striking that the privacy ordinance does not link numerical criteria to the appointment of a DPO. The size of the company or the number of employees of an institution is independent of any obligation to appoint a DPO. However, having to appoint a DPO to organisations with 250 or more employees is a persistent rumour. Further European or national legislation may require an increase in the number of compulsory appointments: Please check if your home country or country of residence has passed stricter legislation. In Germany, for example, the legislation requires almost every organization to appoint a DPO.
If an organization is not obliged by the privacy regulation to appoint a DPO, an organization may still do so voluntarily. The WP29 encourages voluntary appointment. Please note, voluntary does not mean non-committal. A DPO that has not been appointed on the basis of an obligation must adhere to the same rules and frameworks as a DPO that has been appointed on the basis of an obligation.
Having an in-house DPO can bring various advantages to an organisation, such as
Read more about the Privacy Heroes of Privacy Company.