This article seeks to provide an outline of the nature of the position as well as the scope of the duties of a Data Protection Officer under the General Data Protection Regulation (EU2016/679) (“GDPR”).
The position of the Data Protection Officer introduced by virtue of Article 37 GDPR constitutes one of the most innovative and interesting aspects of EU data protection legislation. It is submitted from the outset that, depending on the circumstances, the appointment of a Data Protection Officer may be mandatory, or not required at all (although it is worth noting that the designation of a Data Protection Officer is encouraged by competent supervisory authorities as good practice). In light of the practical difficulties of formulating a one-size-fits-all approach with regards to whether or not the appointment of a Data Protection Officer is necessary, the GDPR provides some guidelines which seek to help data controllers and data processors determine whether the processing activities in which their organization is engaged warrant the designation of a Data Protection Officer.
In so far as private entities are concerned, the appointment of a Data Protection Officer is understood to be mandatory where the core activities of the entity in question constitute processing activities requiring the frequent and systematic monitoring of data subjects on a large scale. It therefore follows that the activities of the organization, the frequency of processing and the volume of data processed, all constitute material factors. The practical application of these guidelines to each particular scenario is, nevertheless, a matter which requires the kind of meticulous analysis which largely falls outside the ambit of this article, and as such will not be considered further.
Essentially, the role of the Data Protection Officer consists of monitoring and facilitating compliance of the entity which he / she serves with the provisions of the GDPR and applicable data protection legislation. More specifically, as part of his responsibilities, the Data Protection Officer may collect information with a view of determining the processing activities, analyse and examine the compliance of processing activities with the GDPR and inform the data controller or data processor and provide advice and issue suggestions. What is more, whilst the GDPR imposes on data controllers and data processors the obligation to keep a record of processing activities, this record-keeping obligation may be delegated to the Data Protection Officer. In this respect the record of processing activities shall enable the Data Protection Officer to perform certain aspects of his responsibilities such as the monitoring of compliance and the provision of advice to the data controller or data processor.
Whilst the level of expertise and professional qualifications which the Data Protection Officer should possess, are not expressly stipulated in the GDPR, pursuant to the guidelines issued by Working Party 29, the Data Protection Officer is generally expected to possess, among others, the following professional qualifications, skills and expertise:
- Expertise from a legal and practical standpoint in respect of personal data protection in both a national and EU level, as well as excellent knowledge of the GDPR
- Knowledge of processing activities carried out by the data controller
- Knowledge of the field of information technology and data security
- Knowledge of the fields of business activity of the data controller
- Ability to develop a data protection culture within the data controller
It is worth noting that the GDPR endeavours to safeguard that the Data Protection Officer is autonomous and independent, in that he is answerable only to the highest management level within the organization and must be provided with access and information concerning departments, personnel, and processing activities carried out by the entity. At the same time, it should be stressed that the designation of a Data Protection Officer does not, in any way absolve or release the data controller or data processor from the obligation of ensuring compliance with the provisions of the GDPR; in fact, whilst the position of Data Protection Officer entails a number of important responsibilities, the Data Protection Officer cannot be held personally liable in respect of any breach of the data processing obligations imposed upon data controllers and data processors.
In order to ensure that the Data Protection Officer shall be in a position to carry out his duties adequately and effectively, the GDPR requires data controllers and data processors to offer every reasonable assistance to this end. Crucially, the Data Protection Officer is expected to be promptly and duly involved in any matter relating to data processing. This necessarily entails, among others, the participation of the Data Protection Officer in meetings of senior officials of the organization’s management (to the extent and in so far as the agenda of the meeting includes any proposed course of action which is capable of influencing or affecting personal data protection), as well as consultation with the Data Protection Officer in respect of cases relating to data breaches or other similar incidents.
Going further, to ensure the autonomy and independence of the Data Protection Officer, the designating entity should not seek to influence or dictate the manner in which the duties of the Data Protection Officer are to be exercised. In particular, having due regard to the guidelines issued by Working Party 29, the Data Protection Officer must not, among others, receive instructions as to the desired outcome of a case, instructions on how to approach an investigation of a complaint, instructions on whether or not the competent supervisory authority should be consulted, or indeed instructions with regards to the manner in which legislative provisions relating to data protection laws are to be interpreted. In addition, in order to ensure that the Data Protection Officer shall be in a position to exercise his duties in an impartial and independent manner the following safeguards must be in place:
- The designating entity should not dismiss or otherwise penalise the Data Protection Officer for reasons relating to the exercise of the Data Protection Officer’s duties and responsibilities under the GDPR
- No conflict of interests should exist between the duties of the Data Protection Officer under the GDPR and any other duties or obligations arising by virtue of any other position held by the Data Protection Officer in the organization. This means that the Data Protection Officer must not hold any position that may determine the purpose and means of processing of personal data. Because each organization has a different organizational structure, this particular issue should be examined on a case-by-case basis. Usually, a conflict of interests is deemed to arise where the appointed Data Protection Officer also holds some other senior managerial or other key position within the organization which -by its very nature- determines or contributes in the determination of the purposes and means of processing of personal data (i.e. executive director, general manager, chief executive officer, chief financial officer, marketing officer, human resources manager, IT manager).
Moreover, to enable the Data Protection Officer to carry out his responsibilities effectively, the organization is expected to offer adequate support and sufficient resources. Such support is not only limited to financial assistance but may also take the form of continuous professional training aiming to enhance and improve the skills and qualifications of the Data Protection Officer, notifying the organization’s employees and members of staff of the designation of a Data Protection Officer and informing them of his duties and responsibilities, ensuring that the Data Protection Officer will have access to other departments within the organization such as the human resources department, legal department or information technology department for the purpose of ensuring the continuous technical support of the Data Protection Officer, and providing the Data Protection Officer with sufficient time in order to properly and effectively carry out his responsibilities.
Finally, yet another important function of the Data Protection Officer is that he also serves as the point of contact between the entity and the competent supervisory authority (in this case, the Commissioner for Personal Data Protection). In this respect, the contact details of the person appointed as a Data Protection Officer must be communicated to the Commissioner for Personal Data Protection.