The GDPR and the Data protection officer (DPO)
The GDPR contains rules on when it is mandatory for controllers and processors to designate a data protection officer. The Article 29 Data Protection Working Party (WP29) issued guidelines on the data protection officers (DPOs) on 13 December 2016, which were then revised on 5 April 2017, interpreting the respective provisions of the GDPR (Articles 37-39 and Recitals 77 and 97).
The Data Protection Officer (DPO)
The GDPR contains rules on when it is mandatory for controllers and processors to designate a data protection officer. The Article 29 Data Protection Working Party (WP29) issued guidelines on the data protection officers (DPOs) on 13 December 2016, which were then revised on 5 April 2017, interpreting the respective provisions of the GDPR (Articles 37-39 and Recitals 77 and 97). A Q&A on the data protection officer follows below.
I Designation of the Data Protection Officer (DPO)
1. When is it mandatory to designate a DPO for entities other than public authorities and bodies?
Privately held data controllers and data processors must appoint a DPO if
a) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematicmonitoring of data subjects on a large scale OR
b) the core activities of the controller or the processor consist of processing special categories of data on a large scale (for example, personal data revealing ethnic origin, political opinions, trade union membership, genetic data, health data) or personal data relating to criminal convictions and offences OR
c) the laws of the relevant Member State so provide.
As per the guidelines of the WP29, controllers and processors are highly advised to prepare an analysis on whether or not they are required to designate a DPO and to also document the analysis. If the controller / processors come to the conclusion that a DPO must be designated, a written contract must be concluded with him / her.
The WP29 further recommends that if the controller or processor is unable to decide if a DPO must be designated, it is better to designate one. This is because failure to appoint a DPO may result in a fine being imposed on the entity if the authority comes to the conclusion during an inspection that a DPO should have been designated.
1.1 What does "core activities" mean?
Core activities can be considered as the key operations necessary to achieve the controller’s or processor’s goals (e.g. hospitals processing health data in connection with providing health care services, security company providing surveillance services).
1.2 What does "large scale" mean?
The GDPR does not define what constitutes large-scale processing and it is not possible to give a precise number which would be applicable in all situations. The WP29 says that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes "large scale" in respect of certain types of common processing activities.
The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- the number of data subjects concerned (either as a specific number or as a proportion of the relevant population),
- the volume of data and/or the range of different data items being processed,
- the duration, or permanence, of the data processing activity,
- the geographical extent of the processing activity.
1.3 What does "regular and systematic monitoring" mean?
The GDPR does not define what constitutes regular and systematic monitoring but it clearly includes all forms of tracking, while profiling on the internet, however, is not restricted to the online environment. The WP29 guidelines contain some guidance in this regard too. Namely, "regular" means something which occurs at particular intervals, is repeated at fixed times and/or which takes place constantly or periodically, whereas "systematic" means occurring in an organized manner or according to a general plan or strategy.
Examples of regular and systematic monitoring include, amongst others, telecommunication services, data-driven marketing activities, profiling, (credit) scoring, loyalty programs, location tracking, monitoring of fitness and health data via wearable devices, closed-circuit television (CCTV), smart meters.
Link to article
- Philippine Chapter of Getting the Deal Through: Cybersecurity 2018
- When will POPI come into force?
- "Consumer Survey Fails Reliability Test and Results in Dismantling of Massive Verdict By Julian L Bibb IV INTA Bulletin
- Is your organisation ready for POPI and the GDPR?
WSG Member: Please login to add your comment.