• Home
  • News & Insights
  • Article 29 Data Protection Working Party GDPR Guidelines on Data Protection Officers

26 Jan 2017

Article 29 Data Protection Working Party GDPR Guidelines on Data Protection Officers

Linkedin

Introduction

Article 37 of the General Data Protection Regulation (the GDPR) introduces the mandatory requirement for certain organisations, including data processors and data controllers alike, to designate a Data Protection Office (DPO).

Although many organisations may already have a designated DPO in place, Article 37 GDPR makes this a statutory requirement for certain data controllers as well as some data processors. It also imposes demanding requirements on those organisations in respect of the DPO's qualifications, role and independence.

The Article 29 Working party (WP29) has published updated guidelines on the interpretation and practical implications of this new requirement (the Guidelines) which are summarised below.

Who needs a DPO?

A DPO is envisioned as the cornerstone of accountability and the key intermediary between data controllers/processors, data subjects and supervisory authorities under new GDPR.

Article 37 GDPR requires the mandatory designation of a DPO in the following three circumstances:

  1. where public authorities and bodies processes data;

  2. where a data controller or processor's core activities require the systematic and regular monitoring of data subjects on a large scale; or

  3. where a data controller or processor's core activities require the large scale processing of special categories of data and personal data relating to criminal convictions.

Unless it is obvious that an organisation is not required to designate a DPO, the WP29 guidance recommends that, in the interests of accountability, if an organisation decides not to appoint a DPO on a voluntary basis then it should document the decision and identify all of the relevant factors that were considered during the decision making process.

The WP29 recommends the following interpretations of the criteria and terminology used:

"Public authorities and bodies" should be interpreted to include national, regional and local authorities and, under the applicable national laws, a range of other bodies governed by public law. The WP29 recommends, as a good practice, that private organisations carrying out public tasks or exercising public authority designate a DPO and that such a DPO’s activity should cover all processing operations carried out by that organisation.

"Core activities" can be considered as the key operations necessary to achieve the controller’s or processor’s goals.

"Large Scale" should be interpreted in accordance with the number of data subjects concerned, the volume or range of data concerned and the duration and geographical extent of the processing activity.

"regular and systematic" can be interpreted as meaning (i) ongoing/occurring/repeated at fixed times/ particular intervals/ constantly/ periodically, which is (ii) pre-arranged/ organised/ part of a strategy/ carried out according to a system.

Depending on who fulfils the criteria on mandatory designation, in some cases only the controller or only the processor is required to appoint the DPO. In other cases it may be a requirement on both the controller and its processor (who should then cooperate with each other).

DPO requirements

The requirements that designated DPOs are expected to fulfil are as follows:

  • Expertise - the DPO must have a level of expertise that is commensurate to the sensitivity, complexity and amount of data processed by the relevant organisation (with particular regard to whether or not personal data is transferred beyond the EEA);
  • Professional qualities - the DPO must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs appointed for public authorities should have an excellent knowledge of the administrative procedures of their organisation, while DPOs operating in the private sector must also have a good knowledge of the industry within which they are active;
  • Ability to fulfil task - the DPO should demonstrate integrity and high professional ethics and, as a primary concern, enable compliance with the GDPR.

Appointing a DPO

It is possible for multiple establishments within one group to share a single DPO. However, in order to do so the relevant organisation must ensure that the nominated DPO can be easily accessed from any of the establishments covered. This includes ensuring that DPO can be communicated with in numerous different languages depending on the locations of the various establishments within the group covered by that DPO. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that the data subjects will be able to contact the DPO.

Organisations are able to appoint DPOs externally. The DPO can be designated on the basis of a service contract with a separate individual or organisation, provided that there is a clear allocation of tasks and responsibility between the external DPO and the data controller or processor.

It is a requirement of the GDPR that the controller or the processor publish the contact details of the DPO and communicate the contact details to the relevant supervisory authorities. Publishing the DPO's name is not mandatory, but as a matter of good practice the WP29 recommend organisations make this information available on the organisation's intranet or internal telephone directory. However, it is essential that the DPO's name is communicated to the supervisory authority in order for the DPO to serve as a contact point between the organisation and the supervisory authority.

The WP29 also highlight the importance of guaranteeing confidentiality as employees may be reluctant to raise concerns with the DPO if the confidentiality of their communications is not ensured.

The DPO's position

Article 38 GDPR requires that the DPO must be "involved, properly and in a timely manner, in all issues which relate to the protection of personal data" by its appointing organisation. For example:

  • the DPO should be included in all relevant working groups;
  • the DPO should be invited to participate in meetings with senior and middle management; 
  • the DPO should be promptly consulted whenever a data breach or other similar incident occurs; and
  • where appropriate, the controller or processor may wish to develop data protection guidelines or programmes that set out when the DPO must be consulted.

The DPO must be given the necessary resources and access to processing operations to allow it to fulfil its duties, including:

  • being actively supported at board level;
  • being given sufficient time to carry out its tasks; and
  • having access to all other services within the organisation as required (i.e. HR and legal), and being provided with a dedicated team if necessary.

DPOs must also be guaranteed a level of independence within the organisation and must not be dismissed or penalised by the controller or processor for performing his or her duties as a DPO. The WP29 Guidelines clarify that organisations must not give DPO instructions as to how they should carry out their tasks or interpret the GDPR, and that DPOs should not be penalised or dismissed for carrying out their duties.

Conflicts of interest must be avoided where at all possible. To prevent this (and ensure a DPO can act in an independent manner), the WP29 guidance provides the following (non-exhaustive) list of practical examples of good practice:

  • identify positions that aren’t compatible with the DPO;
  • create internal rules to prevent conflict; and
  • ensure that job adverts and service contracts provide enough detail to avoid conflicts arising at a later date.

The DPO's tasks

A DPO's primary task is to monitor the relevant organisation's compliance with the GDPR by collecting information to identify processing activities, analysing compliance of processing activities, and informing, advising and issuing recommendations to the data controller or processor.

The Guidelines suggest that an effective accountability measure would include tasking the DPO with maintaining the record of processing operations under the responsibility of the controller. Such a record should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.

PIAs

Although there is no express requirement that DPOs should be responsible for carrying out Data Privacy Impact Assessments (PIAs) for their organisations, in reality many organisations may choose to delegate this task to the DPO as part of its standard duties which can be a useful and important role in assisting the controller. The Guidelines recommend that DPOs should seek the advice of the DPO in relation to:

  • whether a PIA needs to be conducted;
  • whether the PIA should be conducted in-house or outsourced; 
  • what methodology should be used; and
  • once conducted, whether the proposed activity complies with the GDPR.

The WP29 recommends that the PIA documentation should specifically justify in writing why the advice has not been taken into account and that DPOs should record a dissenting opinion if their advice is not followed. However, despite the DPO's involvement with the conduct of the PIAs, ultimate responsibility for compliance will remain with the appointing organisation and DPOs will not be personally responsible for non-compliance with the GDPR.

Linkedin

KEY CONTACT

Jonathan Kirsop

Jonathan Kirsop
Partner

T:  +44 20 7809 2121 M:  +44 7554 403 022 Email Jonathan | Vcard Office:  London

Alison Kenney

Alison Kenney
Associate

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London