This article examines when it is mandatory to appoint a DPO, how to deal with an optionally appointed DPO, and what the options are if several organisations wish to appoint a DPO.
1. Obligatory designation of a Data Protection Officer
Under Article 37(1) of the GDPR, both the controller and the processor may have an obligation to appoint a data protection officer. Subject to Article 24(1) of the GDPR, the need to comply with this obligation should be reviewed by the controller (and the processor) on a regular basis, in accordance with the principle of accountability, in particular where its activities are supplemented by processing operations which fall under the conditions of Article 37(1) of the GDPR. The activities of the DPO should not be limited to the processing for which he or she has been appointed by the controller or processor.
1.1. Authorities with a public function or public authority
This version of the GDPR essentially requires any body with a statutory public task to appoint a DPO, or performs any act connected with the exercise of official authority. It is important to underline that, according to the relevant WP29 guidance, in certain sectors (“such as public transport, water and energy supply, road infrastructure, public broadcasting, public or municipal housing“), where data processing is carried out by private actors with a public task, the obligation to designate a DPO is not per se mandatory under Article 37(1)(a) GDPR, but can be considered as a good practice, as confirmed by the Italian DPA (notwithstanding, of course, that the obligation to appoint a DPO may arise under another point of Article 37 GDPR for those private actors).
Due to the organisational specificities of local governments and mayor’s offices in Hungary, the Hungarian Data Protection Authority (NAIH) has also addressed the question of which legal entity is responsible for the appointment of the DPO prior to the application of the GDPR. In the relevant decision, the NAIH highlighted the concepts of data controller under the GDPR and the Information Act, and the recipient of the public authority task in the analysis (in the latter case, the body of representatives of the municipality was assessed as the data controller, since under Section 5(3) of the Privacy Act, it is this body that decides which municipal legal entity determines the purposes and means of data processing.)
The question may arise as to whether the mayor’s office and local government
- are required to appoint a data protection officer separately or, -given that the office is the working body of the local government-
- is it sufficient for the mayor’s office to appoint the DPO, or
- may it be appropriate to appoint a joint DPO under Article 37(3) GDPR?
We believe that this issue can be dealt with flexibly. It is also an appropriate solution if
(I.) the local government and the office each appoint a DPO, but it is also acceptable if
In conclusion, if it is clear from the terms of reference of the DPO of the mayor’s office that he or she may also act as DPO for another body, there is no need to appoint a DPO for the local government.
In its position on general practitioners, the NAIH explained that the obligation to appoint a DPO for a general practitioner– despite the fact that it performs a public task and carries out its work personally – does not arise under Article 37(1)(a) of the GDPR, but under Article 37(1)(b) and (c) of the GDPR. Also in this Resolution, the NAIH made an important observation to the effect that, although “large-scale” and ” extensive” processing can only be interpreted in the context of a data protection impact assessment under recital 91 of the GDPR, the NAIH considers that these concepts can also be taken into account when assessing the conditions in Article 37(1)(b) of the GDPR. In this case, the question may arise whether data controllers (or processors) that are required to carry out a data protection impact assessment under Article 35(1) of the GDPR or the NAIH’s impact assessment list -drawn up in light of Article 35(4) of the GDPR– are automatically subject to the obligation to appoint a DPO.
1.2. Designation obligation based on the activity covered
Article 37(1)(b) and (c) of the GDPR provides for the appointment of a data protection officer based on the activities of the controller or processor. The following table sets out the different concepts:
|Main activity||– these are the most important operations necessary to achieve the controller’s or processor’s purposes, which, subject to recital 97 of the GDPR, do not include ancillary activities
– includes not only the activities listed in the business register, but also those from which the controller derives the highest revenue
|large-scale monitoring or processing of a large number of personal data||The GDPR does not set precise thresholds on this issue, so the WP29 provides guidance on what data controllers and processors should take into account in this regard:
– The number of people affected – either as a specific number or as a proportion of the population
– Volume of data and/or range of different data to be processed
– Duration or permanence of the processing activity
– Geographical scope of the processing activity
|regular and systematic monitoring||WP29 defines regularity as the achievement of one or more of the following:
– Happens continuously or at certain intervals during a given period
– Repeated or repeated at fixed times
– Occurs continuously or intermittently
Systematic (which implies a planned processing) means one or more of the following:
– Occurs according to a given system
– Pre-arranged, organised or systematic
– As part of the general plan for data processing
– Carried out as part of a specific strategy
|the processing of special categories of personal data or personal data relating to criminal matters||The following are special categories of personal data:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons
The connecting point between the above concepts is the question of necessity; the controller or processor is under an obligation to appoint a DPO under Article 37(1)(b) or (c) of the GDPR if the processing or monitoring of the kind described above is strictly necessary for their core business.
2. Optional appointment
Just as it is an obligation for data controllers and processors to document their discretion in relation to the obligation to designate, the relevant WP29 guidance also requires the recording of the fact why the controller and processor have chosen not to designate a DPO. If the controller and the processor decide to appoint a DPO -even though there would be no legal obligation to do so- (which the NAIH strongly encourages), the DPO should be subject to the same legal requirements in the GDPR as the DPO appointed on a mandatory basis.
Also in order to facilitate compliance with the GDPR, a controller or processor that is not required to appoint a DPO, or does not do so voluntarily, and employs or engages under a service contract a person whose job title is, or has a contractual obligation to be available or to provide advice on personal data matters, it is important to make clear and communicate, both internally and externally, that this person is not a DPO and is therefore not subject to the rules governing DPOs in the GDPR.
3. Joint DPO
Article 37(2) and (3) of the GDPR sets out the circumstances in which several controllers or processors may designate a joint data protection officer.
For groups of undertakings that aggregate undertakings, the joint DPO is expected to be easily accessible from all sites, in addition to the general conditions; the joint DPO should act as a point of contact for all data subjects and supervisory authorities belonging to all sites that are part of the group of undertakings, as well as within the group of undertakings itself, in order to fulfil his or her tasks under the GDPR. In order to deal with problems arising from language difficulties, it may be good practice to have a local staff member assist the joint DPO in those sites where the joint DPO does not have an adequate level of language skills.
Public authorities or bodies with public tasks may also appoint a joint DPO, subject to the organisational structure. The previously cited NAIH position paper on municipalities explicitly underlines that it is possible to appoint a joint data protection officer in municipal institutions (e.g. kindergartens, schools) on the basis of Article 37(3) GDPR. However, even in such a case, it is necessary to designate a person or a group of persons in each institution whose task it is to assist the joint DPO in his or her work and, where applicable, the GDPR rules on DPOs should also apply to this person or group.
dr. Miklós Péter
- 11. 21.
Do you have a question about data protection or the position of Data Protection Officer? Contact me!
Miklós Péter GDPR lawyer / email@example.com / +36306485521