EU Regulation 2016/679 – the well-known “General Data Protection Regulation”, which replaces and repeals Directive 95/46/EC on the same subject-matter – outlines the shape, the main points and the medians of the data processing field within the jurisdictional and geographical borders of the European Union.
Whilst most of the actors involved in processing personal data enjoy an extensive definition provided for in Article 4 of the Regulation, the same cannot be said about the function of the Data Protection Officer (DPO), which is not clearly identified but tends to be identifiable, since the DPO is designated by the controller or processor.
The controller may wonder what are the situations in which they must appoint a DPO, what will the DPO’s tasks be and on what criteria will the actual appointment be made. For the first two questions, the answer is provided by the Regulation itself and will be explained within point 1 and point 2. However, the issue raised within the third question will be answered implicitly, abstractly and slightly elliptically by the Regulation, which – as the title of the article reveals – may lead to difficulties in designating DPOs, an issue that will be dealt with under point 3.
1. When is it necessary to appoint a DPO?
The answer to this question is provided by Article 37 of the Regulation itself. Thus, the controller/processor must appoint a DPO whenever one of the following three criteria exists:
(a) public authority (“the processing is carried out by a public authority or body, except for courts acting in their judicial capacity”);
(b) large scale, regular monitoring (“the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”);
(c) large scale, special categories of data (“the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10”).
Concepts such as ‘public authority’, ‘main activities’ or ‘large scale’ are explained in the Data Protection Officer Guidelines adopted in 2016 by the Working Party set up for this purpose on the former Article 29 of the Directive (https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf).
In addition to situations a)-c), the Regulation states that a DPO may be designated or – when required by Union/national law – will be designated in other cases where personal data are processed.
Put in simpler terms, the DPO will be designated in all cases where there is a regulatory provision to this effect (whether national or Union-wide – which, by its binding nature, is equivalent to a national one). In cases where there is no such provision, controllers or processors will have the power to decide whether to designate a DPO or not.
In both cases, the DPO may be a member of the controller’s/processor’s staff or may be an independent person performing their duties under a service contract. On the other hand, in none of these cases will there be a subordination relationship between the controller/processor and the DPO. The controller/processor will not be able to instruct the DPO in the performance of their tasks and the DPO will be able to enjoy a certain degree of autonomy.
2. What are the tasks of the DPO?
Article 39 of the Regulation seeks to identify the minimum duties that the DPO must perform. Thus, these are:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
In addition to the limitative but by no means exhaustive list provided by the Regulation, Article 38 mentions that the DPO may perform any other task and duty. However, in carrying out these tasks, the controller or processor is required to ensure that none of them will give rise to a conflict of interest.
3. Considerations on the actual designation of a DPO
To begin with, the Regulation points out that the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Although in slightly general and even abstract terms, the provision is intended to indicate the areas in which a potential DPO must have knowledge and experience. However, the absence of an express requirement regarding the DPO’s professional qualifications can easily be noticed: the Regulation does not require the DPO either to complete a professional qualification course or to hold a higher education degree in a particular field.
In this regard, the Working Party states that it is necessary for DPOs to have expertise in data protection law and practice at both national and European level. Furthermore, DPOs should have in-depth knowledge of data protection, irrespective of how this experience has been acquired.
In concrete terms, the only required condition for a DPO laid down by the Regulation is the existence of theoretical and practical knowledge in the field of personal data protection, a condition which implicitly expresses the DPO’s belonging to this field, in one form or another. The spirit of the provision exceeds its letter by the very fact that the field mentioned stands at the congruence of what is technical and what is legal, which is precisely why the DPO is also known as the ‘technology lawyer’.
In that light, we consider it relevant to mention that an initiative to regulate the profession of DPO was submitted to the Romanian Parliament in 2020, with the precise aim of clarifying the criteria on the basis of which a DPO can be designated by the controller/processor. Among the proposed criteria can be found the requirement to complete a specialization/refresher course which would lead to obtaining a certificate in this respect. Although such an initiative may appear welcome, criticisms from the Privacy and Data Protection Specialists Association – PDPSA (a non-governmental organization set up to help, define, support, and improve the DPO profession) and, subsequently, its closure by the Senate, as the first decision-making chamber, will contradict it.
Thus, the PDPSA notes that the draft law infringes European Union law, both substantively and procedurally, since the vision of the draft: 1. affects the independence of the National Supervisory Authority and DPO autonomy and 2. creates additional obstacles and costs for controllers striving to comply with the Regulation, limiting their freedom to designate those they consider suitable for the job. In addition, there is also a procedural infringement of European Union law, as the legislative initiative was drafted in disregard of the rules of proportionality assessment, as set out in Directive (EU) 2018/958 on the proportionality test to be carried out before adoption of new regulations concerning the professions.
As a consequence, the non-existence of concrete criteria for designating DPOs and, on the contrary, the existence of autonomy of the controller/processor, should be seen as beneficial, precisely because it provides the controller/processor an almost arbitrary margin of freedom – a freedom restricted only by the provisions of the Regulation itself.
However, if a DPO is selected from among the staff of the establishment where data processing occurs, it is imperative that the controller/processor continuously supervises that this freedom does not enable a conflict of interest to arise because the DPO has a dual role: supervising data protection and, at the same time, defining how data is managed.
For this very reason, in practice it may seem difficult to select a DPO from among those already functioning in the unit concerned – either because of the earlier mentioned conflict of interest or because of the large volume of processed data. As a result, many controllers/processors tend to select an external DPO who will not need more than 2/3 days a month to perform the relevant tasks and who would, by nature, exclude the possibility of a conflict of interest.
In short, there is no magic answer for designating a DPO, and the Working Party recommends that the decision should be taken on a case-by-case basis by each controller/processor, considering the limitations discussed above. This raises the issue of freedom and its boundaries, its advantages and, paradoxically, its constraints, issues that are perceived differently by each individual and, in the given situation, by each individual controller or processor, who must take into account both the provisions of the Regulation and the Working Party’s guidance and their own free will in designating an appropriate DPO for each processing of personal data.