Section 4

Data protection officer

 

Authors: Stefan Drewes and Sebastian Bretthauermini

 

1. The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Art. 9 and personal data relating to criminal convictions and offences referred to in Art. 10.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art. 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

 

A. General overview

Art. 37 contains the basic rules on the appointment of DPOs for the public and non-public sector. Paragraph 1 always assigns this to the public sector (lit. a), whereas in the case of the non-public sector, it does so only under certain circumstances (lit. b and c). Paragraphs 2 and 3 outline the rules that apply when a single DPO is appointed for a group of companies (para. 2) or for several authorities or bodies (para. 3). Paragraph 4, by way of derogation from para. 1, provides that the law of the Union or the Member States may introduce further cases where an appointment is required and that a voluntary appointment of a DPO is also permitted. Paragraph 5 determines the requirements for qualities and expertise of DPOs. The fact that there can be internal as well as external DPOs is provided for at para. 6. Paragraph 7 finally establishes the DPO as a point of contact for supervisory authorities and stakeholders. The contact details of a DPO must be published and notified to the relevant supervisory authority.

The question of the conditions under which a DPO must be designated proved very controversial during the legislative procedure until the trilogue. The COM proposed an obligation to appoint a DPO only for companies employing 250 or more staff (Art. 35 para. 1 lit. b COM-Draft) to relieve small and medium-sized enterprises from this regulatory burden. The EP argued for a lower threshold above which a DPO would be required, i.e. namely if the processing would relate to more than 5,000 affected people within 12 months (Art. 35 para. 1 lit. b-d EP-Draft). The Council rejected these very far-reaching requirements and, in Art. 35 para. 1 of Council-Draft, the Council wanted to leave the designation largely to the Member States both for public authorities and for non-public organisations. Some Member States feared this would be excessive and that the appointment of a DPO would be unduly burdensome for companies. The experience in Germany, however, confirms the opposite. A well-qualified and dedicated DPO, who is familiar with both the company’s goals and the related data processing operations, can be very supportive regarding compliance with data protection requirements, thereby helping to reduce the risk of the controller or processor. This view was mainly represented by Austria and Germany but could prevail only partially because of various obstacles during the legislative process.

All in all, the requirements regarding the DPO are based on the experience gained in Germany. The provisions in Section 4 are based on the model of “regulated self-regulation”. The DPO shall assist the controller or the processor in carrying out their duties, by supervising the implementation of the GDPR and advising on how any deficiencies may be eliminated. In doing so, they contribute to procedures compatible with data protection requirements. The DPO complements the regulatory oversight by the supervisory authorities. However, a DPO will not act as an “extended arm” or an auxiliary to the regulator. Cooperation between the controller or the processor and the DPO should be based on mutual trust. This need for mutual trust is now more important given the risk of fines and other negative impacts on the organisation. Such trusted cooperation is possible even in the face of conflicting interests and should be done with mutual respect. Honesty, transparency, and openness in dealing with each other are unconditional prerequisites for ensuring trust and cooperation.

B.Specific considerations
I. Mandatory designation (para. 1)

 

1.Obligation to designate a DPO for public authorities and public bodies (lit. a)

Paragraph 1 lit. a introduces a duty to designate a DPO for any public authority or public body that processes personal data. The GDPR does not differentiate between authorities or public bodies and does not define these terms. From the point of view of the Art. 29 Working Party, they should be determined according to national law. Authorities and public bodies can appoint an internal or external DPO, as para. 6 also applies to public authorities (→ mn. 38). However, the public authorities or public bodies must –⁠ ⁠as far as applicable – comply with the obligation to call for tenders for this position. The procurement rules must also be observed in the selection procedure for an external DPO.

An exception to the obligation to designate a DPO exists according to lit. a for courts acting in the context of their judicial activity; Recital 97 extends this to independent judicial authorities. This exception was introduced to ensure the independence of courts. They are not subject to controls by a DPO in this area. On the other hand, beyond judicial activity – e.g. in the field of judicial administration – there is a duty for the judicial authority to designate a DPO.

 

 

 

 

[…]