In order to explain the legal framework for the position of DPO and the practicalities for data controllers, we are launching a series of articles analyzing the relevant issues in detail. In the first article, we will look at the importance and historical background of the position of data protection officer.
1. Regulatory history
The DPO or a rather similar institution was first regulated in the German data protection legal environment, and in addition, at large US companies, jobs similar to this position (e.g. “privacy officer”, “chief privacy officer”) have emerged on a self-regulatory basis, in order to have a staff member who is responsible for the knowledge of data protection rules and the supervision of internal processes within the organization; the DPO has a monitoring function alongside supervisory authorities in relation to the data controllers, and designs and implements the data protection compliance program, in effect acting as a kind of ‘internal supervisory authority’. In the context of the European Union institutions, the position of DPO was already regulated (Regulation (EC) No 45/2001 of the European Parliament and of the Council), almost twenty years before the GDPR was applied, and included provisions similar to those of the General Data Protection Regulation.
2. Legal regulation
The term “Data Protection Officer” is mentioned multiple times in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation” or “GDPR“):
- in Articles 13 and 14 of the GDPR, the data controller is obliged to provide information on the contact details of the data protection officer; pursuant to Article 16 (1) (b) of Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information (hereinafter “Privacy act.”), the data controller must also provide the name of the data protection officer to data subjects, subject to Article 2 (2) of the Act, also in relation to processing subject to the GDPR;
- in Article 30 of the GDPR, the name and contact details of the Data Protection Officer must be indicated in the records kept by both the data controller and the data processor;
- in Article 33 of the GDPR, the notification to the supervisory authority of a personal data breach that is likely to pose a risk to the rights and freedoms of data subjects must include the name and contact details of the Data Protection Officer or other contact person who can provide further information;
- in Article 35 of the GDPR, the controller shall seek the professional advice of the DPO when carrying out a data protection impact assessment;
- in Article 36 of the GDPR, the controller shall provide information on the contact details of the DPO during the prior consultation of the supervisory authority in relation to the outcome of the data protection impact assessment;
- Articles 37-39 of the GDPR specifically deal with detailed rules for the Data Protection Officer;
- in Article 47 of the GDPR, binding corporate rules should at least include the responsibilities of the DPOs.
3. The importance of the Data Protection Officer
As can be seen from above, the DPO seems to be in a central position when it comes to GDPR compliance. Its importance can also be seen in the fact that in the event of a breach of the DPO’s obligations, an administrative fine of up to EUR 10,000,000 can be imposed on the controller or processor, or up to 2% of the total annual worldwide turnover of the preceding financial year for undertakings (whichever is higher).
In the introductory part of its Guidelines on Data Protection Officers, adopted on 13 December 2016 and revised on 5 April 2017 (hereinafter ” WP 243 “), the Article 29 Working Party (hereinafter ” WP 29 “) specifically underlined that ” the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses.” The designation of a DPO is an essential element in putting the principle of accountability into practice; if a DPO is designated in an organization and that designated person effectively fulfills his or her obligations, it can lead to a better, more comprehensive and serious level of compliance with the GDPR, so that the fact of designation can be seen as a general sign of compliance (in the words of the European Data Protection Law Handbook, “a possible measure to demonstrate compliance“). For these reasons, as stated in the “DPO Handbook” by Douwe Korff and Marie Georges, several DPAs in EU Member States (e.g. Sweden and the Netherlands) have made it a priority in their procedures to examine whether organizations have fulfilled their obligation to appoint a DPO.
Prior to the appointment of the DPO, it is recommended that the expectations of the controller and the processor in relation to the position are set out (e.g. who can perform these tasks, under what legal relationship and for how long, what are the short and long-term objectives of the position, what are the precise responsibilities and powers, etc.). In the following article, we will discuss the legal requirements and practical issues in this regard.
Do you have a question about data protection or the position of Data Protection Officer? Contact me!
- Miklós Péter / firstname.lastname@example.org / +36306485521