Privacy basics: The Data Protection Officer
July 5th 2022 / in News / By Daisy Brugman
Privacy basics: The Data Protection Officer
We have been working with the General Data Protection Regulation (GDPR) for 4 years now, nevertheless there are still regular misunderstandings about the Data Protection Officer (DPO). It is our experience that it is wrongly thought that the designation of a DPO is mandatory for every company or organization with more than 250 employees. Or the function is combined with another function in such a way that one can speak of ‘the butcher inspecting his own meat’. In this blog I will provide more clarity on the DPO position.
Who is the DPO?
The DPO is the person who advises and supervises the application of and compliance with the GDPR within an organization. [1] This makes the DPO an internal supervisor, but he or she is not a supervisor in the sense of the General Administrative Law Act (Algemene wet bestuursrecht) and has no formal powers under that Act. [2] The GDPR does provide various rules about the DPO. [3] These rules apply to both processors and controllers.
The function can be performed on a full-time or part-time basis.[4] Depending on the amount and type of personal data and the complexity of the processing activities, it may be necessary for the DPO to be supported by a privacy office. If several people are involved, a division of tasks must be made and it must be clear who the main contact person and ‘final responsible person’ is.
When is the designation of a DPO mandatory?
The DPO also existed under Privacy Directive (95/46/EC) and the Personal Data Protection Act. However, there are changes under the GDPR. For example, it is now mandatory to appoint a DPO under certain circumstances[5]. Public authorities and public bodies must always appoint a DPO, except courts when exercising their judicial functions; and
In addition, it is mandatory to appoint a DPO in the following two cases. First, a data controller is required to do so if its core tasks involve the regular[6] and systematic[7] observation on a large scale of data subjects. Core tasks are the main actions necessary to achieve the objectives of the controller or processor.
Example: public transport company, whose core task is to provide public transport. The public transport company processes personal data in support of this core task, for example for IT support and payment of wages to employees. These processing operations are not an inseparable part of the core tasks of the public transport company. Therefore, the public transport company does not need to appoint a DPO.
Example: security company, whose core task is the surveillance of a number of shopping centers. The regular and systematic observation of visitors to the shopping centers on a large scale, is thus inextricably linked to the company’s core task. The security company must therefore appoint a DPO.
Secondly, they are obliged to do so if, in view of their core task, they process special categories of personal data and/or criminal data on a large scale. There is no hard limit, but the following is relevant: the number of people involved, the amount and type of personal data, and the duration and geographical scope of the processing. In addition, the quantity is also determined by the retention period.
Example: commercial bank, whose core tasks are to handle payment transactions, provide credit to private individuals and manage savings. The processing of customer data is an integral part of these core tasks and takes place on a large scale. Banks must therefore appoint a DPO.
In short, a DPO is mandatory for government organizations and for organizations that process special personal data or observe data subjects on a large scale. It is not the number of employees in the organization that is important, but the sensitivity of the data. That a DPO is mandatory from 250 employees is therefore nothing more than a myth.
Can a DPO also be appointed voluntarily?
A DPO can also be appointed on a voluntary basis. According to the Personal Data Authority (AP), it can be very useful to hire or hire someone who specializes in personal data protection. Private-law organizations that perform government tasks (for example, a public transport company, energy company or housing corporation), are advised by the AP that they also appoint a DPO even though they are not obliged to do so.
But note: a voluntarily appointed DPO must comply with the same rules and frameworks as a mandatory DPO. This means, among other things, that the voluntarily appointed DPO has the same range of duties as the mandatory DPO.[8] In other words: voluntary, but not without obligation. It can therefore be interesting to appoint an external DPO: the DPO is hired for a number of hours (per week or month) and is on call in case of emergencies. In some cases that is cheaper than keeping the necessary knowledge and skills up to date yourself.
Can the privacy officer current colleague become the new DPO?
The DPO can be someone from inside or outside the organization.[9] Importantly, there is no conflict of interest if it is someone from inside the organization. A DPO should not receive instructions or influence the process and control of any processing. Conflicts of interest can occur when the privacy officer (PO) function is combined with the DPO function. The PO’s duties may conflict with the supervisory role of the DPO and the independence required for this. The DPO must be able to act if necessary, because he/she must, for example, conduct an independent investigation in response to a complaint. This makes him/her an extension of the AP. This becomes difficult if you have to ‘inspect your own meat’, which can damage the credibility and reliability of the DPO. For this reason it is important that the independent positioning of the DPO remains guaranteed.
Any doubts?
If you have any doubts about whether or not you should appoint a DPO, Lex Digitalis can advise you. We also offer ‘DPO-as-a-service’ and can advise on the content of the role of DPO or PO. We are happy to be of service.
[1] In practice, the Dutch abbreviation DPO is also used. In practice, the Dutch abbreviation DPO is also used.
[2]In practice, there are organizations (often governments) that grant the DPO such supervisory powers (as mentioned in the Awb).
[3]See Art. 37-39 GDPR.
[4] Art. 38 (6) GDPR.
[5] Art. 37 (1) GDPR. Incidentally, EU or member state legislation may also require the appointment of a DPO in other situations. The GDPRIA contains no such addition.
[6] Constant or recurring, whether at fixed times or not.
[7] According to a system; arranged, organized or methodical; in the side of a program or strategy.
[8] Among other things, with regard to the professionalism and duties of the DPO (see Articles 37, 38 and 39 of the GDPR)
[9] Art. 37 (6) GDPR.