The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018. If the precedent principles still remain (such as the principles of legitimacy, necessity and proportionality), the new text is accompanied by new measures. Among these, the GDPR requires, under certain circumstances, the data controller and data processor to designate a data protection officer (See the articles 37-39 of the GDPR).
The Article 29 Working Party published some guidelines on data protection officers (Art. 29 Working Party, Guidelines on Data Protection Officers, 13.12.2016).
These are listed in Article 39 of the GDPR. One of the most important is that the data protection officer must monitor compliance with the European and national data protection legislation. In order to perform his or her duties as effectively as possible, the Article 29 WP precise that it is necessary that the data controller and data processor assist this person by providing the necessary resources and allowing access to data and processing operations.
In pursuance of the foregoing, the DPO must also facilitate the implementation of core elements of the regulation such as the principles of data processing, data subject’s rights, data protection by design and by default, records of processing activities, security, and notification and communication of data breaches.
Others functions are the cooperation with the supervisory authority, and to act as the contact point for the supervisory authority on issues relating to the data processing.
In order to assure his or her functions, the DPO must justify of expert knowledge of data protection law. The level of expertise should be adequate for the nature (the sensitivity, complexity, etc.) and the amount of the data to be processed. For more details on this point, see the guidelines from the Article 29 Working Party.
According to article 37.1 of the GDPR, it is an obligation in three circumstances. First, when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. Second, if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. Last but not least, when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
To issue clarification on the notion of core activities and large scale, the Guidelines from the Article 29 Working Party are relevant.
This notion of “core activities” relates to the primary activities and do not relate to the processing of personal data as ancillary activities (See Recital 97 of the GDPR). The Article 29 Working Party states that: ”Core activities can be considered as the key operations necessary to achieve the controller or processor’s goals” (Art. 29 Working Party, Guidelines on Data Protection Officers, 13.12.2016, p. 16.).
According to the GDPR, “large-scale operations” refers to the processing of a considerable amount of personal data at regional, national or supranational level, and processing that could affect a large number of data subjects (See Recital 91 of the GDPR)
The number of data subjects concerned, the volume of data, the duration of the processing and the geographical extent of the processing activity are factors that need to be taken into account (Art. 29 Working Party, Guidelines on Data Protection Officers, 13.12.2016, p. 7).
The DPO may be a staff member of the data processor or an external. The data processor must ensure that the potential DPO has no conflict of interest and must be able to act in an independent manner.
This latter point is crucial. The DPO must be able to act in an independent manner. This independence is related to several factors. First of all, no instructions can be made by the data controller or data processor in the accomplishment of his or her tasks. The independence imply also that no dismissal, and no direct or indirect penalty by the data controller or data processor for performing the tasks.
Finally, the DPO cannot be the individual that determines the purposes and the means of the processing of personal data. For more information about the qualities for a DPO, we refer to the Guidelines established by the Article 29 Working Party.
FUNDED BY THE EUROPEAN UNION
TeSLA is not responsible for any contents linked or referred to from these pages. It does not associate or identify itself with the content of third parties to which it refers via a link. Furthermore TESLA is not liable for any postings or messages published by users of discussion boards, guest books or mailing lists provided on its page. We have no control over the nature, content and availability of any links that may appear on our site. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
TeSLA is coordinated by Universitat Oberta de Catalunya (UOC) and funded by the European Commission’s Horizon 2020 ICT Programme. This website reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.