Defining the DPO and summarising the expectations of the position is a complex process that requires careful consideration by data controllers. In addition to the assessment of professional qualifications, the choice of the nature of the relationship is a key consideration. In this article, the characteristics of the internal and external DPO positions are compared, and specific contractual arrangements are discussed in relation to the latter
1. Qualification criteria for data protection officers
The data protection officer shall be appointed by the controller or processor based on his or her professional competence and suitability to perform the tasks for which he or she is responsible, as conjunctive criteria. Accordingly, the GDPR does not impose any qualification requirement for the performance of the task, but, as recital 97 of the GDPR puts it, ‘the necessary level of expertise should be determined in particular on the basis of the processing carried out by the controller or processor and the protection required in relation to the personal data they process’.
It can be seen from the above that it is the task and responsibility of the data controller or processor to assess whether the person they have chosen is suitable to fill the position, whether mandatory or voluntary, as defined in the General Data Protection Regulation; in this context, they cannot rely on certificates or diplomas issued by training institutions to certify the professional competence or suitability of the person to be a DPO, and the Hungarian Data Protection Authority (NAIH) has not issued any substantive opinion on whether ‘the training courses of the various companies provide DPOs with the appropriate qualifications to perform their tasks’. In view of the principle of transparency, the recruitment process for the selection of the DPO, including the criteria for winning the tender, should be documented.
According to the guidelines of the Confederation of European Data Protection Organisations (hereinafter “CEDPO“) published on 30 May 2016 entitled “How to select the best candidate for a Data Protection Officer for your organisation”, the Data Protection Officer should have strong communication skills and good diplomatic skills, given the multiple tasks and the multiple, even conflicting interests he or she will be confronted with. With the support of the data controller’s management, he/she should have a responsible role in helping to ensure that the organisation’s business decision-making processes are mindful of data protection requirements and thereby not only identify and prevent risks, but also create value
2. The nature of the DPO’s employment
The controller or processor is entitled to appoint both internal (its own employees or staff) and external (a person or organisation contracted to provide a service) persons as DPOs under the General Data Protection Regulation. The table below lists some of the considerations that may be raised, either pro or con, in relation to the appointment of an internal or external DPO (of course, specific circumstances may arise for a given controller or processor, the following are only general factors and observations):
|Aspect||Internal DPO||External DPO|
Termination of a legal relationship
|more difficult because of labour law rules||simpler under the rules on agency contracts|
Access to systems
|acts as a member of the organisation, so it is simpler||acts as an external service provider, making it more difficult|
Knowledge of the processes
|better knowledge of the actual practice in the organisation||less knowledge of actual practice in the organisation|
Professional knowledge and experience
|lower, narrower range||higher, wider range|
|wage-like payment, smaller margin for pricing||commission fee, with more flexible pricing schemes|
|may have other work responsibilities (but is more easily available at the designated place of secondment), there is a greater likelihood of conflict of interest rules being breached||can focus more on emerging DPO tasks (but may not necessarily be available at the designated on-call location), with less chance of conflict of interest breaches|
The table shows that data controllers and processors have to consider a complex set of issues before deciding on the nature of the DPO and that this decision is usually based on the financial capacity of the body concerned; while the French supervisory authority (CNIL) considers that the appointment of an internal DPO is a better solution, it also accepts that this is more difficult to achieve for small and medium-sized enterprises.
3. Specialities regarding the internal and external assignment of DPO
An internal DPO cannot be a legal person; it is an essential characteristic of the employment relationship that only natural persons can be employees. In this case, it is necessary to regulate in detail the precise tasks and responsibilities of the employee in his/her contract of employment and job description, as conflicts of interest may easily arise in the performance of his/her duties. The issue of conflict of interest will be dealt with in a future article.
In the case of an external service provider, both a natural person and a legal person may be appointed as DPO. According to the WP29, “it is essential that all members of the organisation carrying out the DPO’s activities comply with all applicable requirements of Section 4 of the GDPR (for example, it is essential that no one has a conflict of interest).” In my view, this requirement needs to be clarified for practical reasons; an external advisory organisation cannot be expected to have ‘all members’ complying with the legal requirements for DPOs in Section 4 of the GDPR, it would be necessary to narrow the term ‘all members’ to mean those natural persons or advisors who are or may be involved in the actual performance of DPO tasks for the client (controller or processor). This interpretation allows to exclude from the category of “all members” those natural persons employed by the service provider who will undoubtedly not be involved in the performance of the DPO service (e.g. the owner, cleaner, administrative staff, tax adviser, procurement consultant of the service provider, and thus persons who do not have relevant competence in the field but contribute in some way to the general functioning of the service provider), and therefore do not need to be assessed for the fulfilment of the requirements of Section 4 of the GDPR.
4. The use of several outsourced data protection officer
In order to effectively coordinate the work of the professionals involved in the DPO function, it is recommended that the responsibilities of the members of the team be clearly defined, even in the service contract (e.g. one person for data protection education and awareness raising, another for ad hoc data protection legal issues, a third for data processing reviews, etc.) and that a “lead contact person”, as the NAIH puts it, be appointed to ensure that the DPO function does not become “impersonal.” There is no restrictive rule in the GDPR and the Hungarian Privacy Act as to whether, in relation to the external service provider designated as the DPO, the data of the service provider itself, or of the “lead contact”, or of all members of the DPO team, must be published or notified to the DPO Notification System, so in my interpretation all three of the above methods of publication or notification are in line with the legal requirements. However, the requirement of transparency should be taken into account when determining the method of publication of the contact details of the DPO.
According to the practice of the NAIH, a person may act as a DPO for more than one controller or processor. In my view, there is also no obstacle to several natural persons or legal entities carrying out an independent economic activity as external DPOs at the same controller or processor at the same time. In such a situation, from the perspective of data protection law, the controller or processor should classify the external service providers as a group and, taking this into account, should define in its internal rules – and communicate to data subjects in the light of the principle of transparency – which service provider exactly plays which role in the performance of the activity, which service provider is the lead contact person, and should regulate the details of the position in the individual service contracts or in a multilateral service contract, taking into account the specific situation
5. The attorney, as DPO
Pursuant to Section 24 (1) (j) of Act LXXVIII of 2017 on the Activities of Attorneys (Hungary), a DPO may also be an attorney in the context of an activity involving an obligation to work and for remuneration. However, the requirement of conflict of interest must be considered, so that the attorney appointed as DPO cannot act as legal representative of the controller or processor in administrative or judicial proceedings concerning data protection. The question may arise as to whether a conflict of interest may exist in the case of an association of attorneys or a group of attorneys’ firms where one member of the association or group of attorneys’ firms is mandated to act as a data protection officer of the controller or processor, while another member of the association or group of attorneys’ firms acts as a legal representative of the same controller or processor in a case concerning data protection. Section 3.3 of the MÜK Regulation No. 8/2017 (XI. 20.) on the Lawyers’ Association and the Lawyers’ Bar Association (“8/2017 MÜK Regulation“) states that “in the performance of the mandate undertaken as an attorneys’ association, the obligations and rights pursuant to Section 28 (3) of the Lawyers’ Association Act shall be incumbent on and vested in all members of the attorneys’ association, unless otherwise provided by the parties.”.
The following conclusion may be drawn from the above-mentioned point of the Chamber’s Rules; if a member of the attorneys’ association undertakes the mandate of the Data Protection Officer not as a member of the attorneys’ association, or undertakes it as a member of the attorneys’ association but the parties stipulate that the obligations and rights pursuant to Section 28 (3) of the Act on the Activity of Lawyers are exclusively incumbent on and vested in him/her, the other members of the attorneys’ association are not contractually obliged to perform the duties of the Data Protection Officer and are not entitled to the rights arising from the mandate. On this basis, in my view, the mandate of a data protection officer concluded by one member of the association with a data controller or processor is not incompatible with the mandate concluded by another member of the association with the same data controller or processor to provide legal representation on data protection matters under the two schemes. Of course, in such a case, the specific contract for legal representation should also address the relevant issues as set out above, in particular that the rights and obligations arising from this contract do not apply to the member of the association acting as DPO under a separate mandate, or that it may also be appropriate to have the mandate for legal representation not as a member of the association.
In my view, there can be no conflict of interest in relation to a law firm association, as the members act autonomously and independently in all respects other than the use of common infrastructure and the bearing of part or all of the costs.
dr. Miklós Péter
2023. 01. 04.
Do you have a question about data protection or the position of Data Protection Officer? Contact me!
dr. Miklós Péter – GDPR lawyer
/ firstname.lastname@example.org /
Original article: https://dmp.hu/adatvedelem/dpo-cikksorozat-3-resz-ki-lehet-adatvedelmi-tisztviselo/