A data protection officer (DPO) is working for an organisation that fails to provide them with sufficient resources to complete their tasks and consciously excludes them from meetings in which data protection compliance is likely to be an extensive consideration. Sadly, this will not be an entirely alien experience for many DPOs at some stage in their career. In this article, we consider how the provisions of the General Data Protection Regulation (GDPR) prohibit such behaviour and how European Data Protection Authorities (DPAs) are enforcing these provisions in practice.
Article 37(1) of the GDPR prescribes that it is mandatory for organisations to appoint a DPO if they are a public authority or body (other than the courts), or their core activities require either large scale, regular and systematic monitoring of individuals, or large scale processing of special category or criminal conviction and offence data. The Article 29 Working Party Guidelines for DPOs (Guidelines) emphasise that organisations that voluntarily appoint a DPO under Article 37(4) of the GDPR should be aware that the same requirements of the position and tasks apply as if the appointment been mandatory.
Article 37(2) of the GDPR allows a group of undertakings to designate a single DPO who is: “easily accessible from each establishment.” Article 37(6) of the GDPR further authorises the DPO function to be fulfilled on the basis of a service contract, for example an outsourced DPO service.
On 10 November 2020, the Spanish DPA (Agencia Española de Protección de Datos) fined the security company Conseguridad SL €50,000, for failing to appoint a DPO. On 11 March 2021, the Italian DPA (Garante per la protezione dei dati personali) announced that it had ordered the Ministry of Economic Development to pay a €75,000 fine for having disseminated over 5,000 managers’ personal data on a website and not having appointed a DPO by 28 May 2018.
Article 37(5) of the GDPR provides that the DPO: “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices . . .” Recital 97 of the GDPR clarifies that the necessary level of knowledge should be proportionate to the organisation’s processing, taking into consideration the protection required for the relevant personal data. Accordingly, the Guidelines underline that the DPO may require a higher level of expertise where the processing is particularly complex or involves a large amount of “sensitive data.”
Involvement, resources and tasks
Article 38(1) of the GDPR prescribes that organisations must: “. . . ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” The Guidelines elaborate that: “It is crucial that the DPO . . . is involved from the earliest stage possible. . .” and that disagreement with the DPO’s opinion should be documented.
Article 38(2) of the GDPR outlines that organisations shall provide the DPO with the: “resources necessary” to carry out their tasks and maintain their knowledge. Pursuant to this, the Guidelines recommend that in particular, organisations ensure that senior management actively support the DPO, the existence of the DPO is communicated to all employees and the DPO has sufficient access to and support from other services (for example, HR and IT), equipment, financial resources, staff (for example, a DPO team), time and training resources.
Article 39(1)(a) and (b) of the GDPR entrust the DPO to inform and advise organisations about, and to monitor compliance with, data protection. However, it is important to appreciate that as per Article 24(1) of the GDPR, the data controller, not the DPO, is responsible for implementing and demonstrating data protection compliance.
On 31 May 2021, the Luxembourg DPA (National Commission for Data Protection) imposed a €18,000 fine against a company for failing to ensure that the DPO had sufficient involvement in and resources for data protection matters, particularly at operational level and in regard to informing and advising upon data protection obligations.
Article 38(3) of the GDPR establishes that organisations must ensure that the DPO: “. . . does not receive any instructions regarding the exercise of [their Article 39] tasks . . . not be dismissed or penalised . . . for performing [their] tasks” and directly reports to the highest level of management. Recital 97 of the GDPR underlines that DPOs should be able to: “perform their duties and tasks in an independent manner.” Accordingly, the Guidelines provide examples where organisations should not instruct DPOs in the context of their tasks, such as how to investigate a complaint, whether to consult the relevant data protection authority or how to interpret the GDPR.
Conflict of interest
Article 38(6) of the GDPR prescribes that although DPOs: “. . . may fulfil other tasks and duties”, organisations must: “. . . ensure that any such tasks and duties do not result in a conflict of interests.” An example of a task that the DPO can undertake without conflict of interest is to help their organisation to maintain its record of processing activity under Article 30 of the GDPR. The Guidelines clarify that: “In particular, this means that the DPO cannot hold a position within the organisation in which he or she has to determine the purposes and means of the processing of personal data . . . As a rule of thumb, [this] include[s] senior management positions (e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, Head of Marketing, Head of Human Resources or Head of IT), as well as lower-level positions . . .”
On 28 April 2020, the Belgian DPA imposed a €50,000 fine a telecommunications operator that failed to cooperate with it contrary to Article 31 of the GDPR and whose DPO also fulfilled the function of Head of Audit, Risk & Compliance. On 31 May 2021, the Luxembourg DPA issued an injunction for corrective action against a company which had appointed its Chief Compliance Officer, an employee who also had responsibilities for anti-money laundering and ‘Know Your Customer’ processes, as its DPO. In both instances, it was adjudged that the DPO was responsible for determining the means and purposes of the processing of personal data taking place in the context of their other roles and therefore, had a conflict of interest.
In light of the above, organisations should ensure that:
- they establish whether they are required to appoint a DPO and if they are not, to record this decision to demonstrate compliance with the accountability principle under Article 5(2) of the GDPR;
- their DPO has the appropriate expertise and resources to fulfil their tasks;
- their DPO is consistently involved in relevant matters from the outset; and
- their DPO is independent and does not have a conflict of interest.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience providing outsourced DPO and DPO Assist services to a range of domestic and international public, private and voluntary sector organisations. For more information please feel free to contact our advisers, who would be more than happy to help.