What is a DPO and who must appoint one?
You are not obliged to hire a DPO unless you process data on a large scale or if you process data as described in article 9 and 10. To specify this: article 9 is about information like biometrics, genetics, race, political preference, religion, or health; article 10 is about information concerning criminal offenses or convictions.
Most SMEs will likely not have to appoint a DPO. This does however not mean that you cannot appoint a DPO. You can choose to appoint someone, but if this person has the title “DPO” or “Functionary for data protection” you will be obliged by law to comply with all regulations of the GDPR.
Therefore it is advised for small businesses to appoint an external party or a colleague as responsible for the GDPR but NOT to give them the title of DPO.
What does “large scale data processing” mean exactly?
The GDPR does not mention specific numbers. You have to make out when you are processing large amounts of data for each case separately.
You have to take into account the following:
- The amount of involved subjects.
- The volume of data and processed information.
- The duration of- or the permanence of the processing.
- The geographic spread of the processing.
A few examples of large scale processing:
- Processing of patient data as part of usual operations of a hospital.
- Processing of travellers who use public transport in a city (By f.e. tracking them using a tourist card).
- Processing of actual customer locations of an international fast food chain for statistical purposes.
- Processing of customer data as part of usual operations of an insurance company or a bank.
- Processing of personal data by a search engine to show ads based on internet activity.
- Processing of data by telecom operators (Ex. Content, traffic, locations).
Some examples of processing which are not classified als large scale:
- Processing of patient data by an individual doctor.
- Processing of personal data about convictions or similar by an individual lawyer.
If you do however choose to appoint a DPO, what are the obligations?
The GDPR tasks the DPO to ensure compliance with the GDPR. The DPO will help the controller or the processor themself to check if the GDPR is being followed internally. To do this job, the DPO is allowed to do the following:
- Collect information to identify the processing activities.
- Analyse and control the processing activities.
- Advise the responsible person and give recommendations.
The DPO will also cooperate with the Data protection authorities to exercise the rights of the involved parties. These tasks involve the functionary’s role as facilitator. They act as a contact to make it easier for the authorities to get access to documents or information that they may need for their tasks and authorizations like the researching authority to take corrective action.
The DPO is also the contact for people who wish to exercise their rights. Usually a special contacting address (e-mail, telephone number, …) is therefore created.
According to the GDPR, it is the responsibility of the controller and not the DPO to keep a register of processing activities. The DPO will likely keep a record of processing activities themselves based on information provided by the different segments of the organisation who are responsible for the processing of personal data.
According to the GDPR, it is the responsibility of the controller to execute a data protection impact assessment. The DPO can however be an important source of information and help for the controller.
Attention! The DPO must be completely independent!
If the DPO is not independent in his work, you can receive fines. The GDPR accommodates multiple guarantees to help the DPO do his work independently:
- The DPO is not to be instructed on how to complete his tasks.
- The DPO can not be held punished, fired or held accountable for the execution of his tasks.
- There may not be any conflicting interests between the DPO’s tasks and eventual other functions of the DPO.
When you appoint a DPO, you are responsible for the assets that the DPO may need for his tasks.
The more complex or sensible the situation is, the more assets should be provided to the DPO.
Based on this, the DPO must have access to the following:
- Active support by higher management.
- Sufficient time for the DPO to complete his tasks.
- Sufficient support concerning financial resources, infrastructure and when necessary, personnel.
- Official communication about the appointment of the DPO to all employees.
- The required access to other segments of the company so that the DPO can receive the necessary input, feedback and information which are essential for the completion of their tasks.