GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) introduces the function of a data protection officer who should be appointed by the controller (or processor) in certain situations. Below I explain when the appointment of a data protection officer is mandatory and who and how to appoint to this position, as well as what are his tasks.
When appointment of data protection officer is mandatory?
Fortunately, the appointment of a data protection officer is not mandatory in most cases. According to Article 37 of GDPR, the controller and the processor appoint him when:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
With regard to entrepreneurs, there are only two situations – specified in points 2 and 3 above. Interpretation of these provisions, however, is associated with many difficulties, including interpretation problems. There are phrases that are not defined in GDPR. As a result, it is difficult to say clearly what should be meant by “main activity”, “regular and systematic monitoring” or “large scale”. Some interpretative guidelines are provided by the preamble to GDPR. One of them is included in p. 91, which explains that “The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”.
For the above reasons, each case should be assessed separately, taking into account all circumstances related to the processing of personal data by the controller.
Who and how to appoint as data protection officer?
GDPR contains several guidelines on who can be appointed as a data protection controller. First of all, he or she should be appointed on the basis of professional qualifications, in particular expert knowledge of data protection law and the ability to fulfill the tasks listed below.
Two administrative solutions are possible – employing a person for this position (who will become a member of the data controller’s staff), or outsourcing, i.e. commissioning the tasks of the data protection officer on the basis of a contract for the provision of services.
The contact details of the data protection officer should be published by the controller and notified to the President of the Personal Data Protection Office. These two requirements from GDPR have been developed and specified in the Act on the Protection of Personal Data. According to it:
- appointment of a data protection officer should be notified to the President of the Personal Data Protection Office within 14 days of the appointment, indicating the name, surname and e-mail address or telephone number of the inspector,
- the President of the Data Protection Office should be notified of any change to the above data or dismissal of the data protection officer, also within 14 days,
- data of the data protection officer indicated above should be made available on the website, and if the entity that appointed the inspector does not run its own website, in a manner generally available at the place of business.
Role and tasks of data protection officer
The data protection officer should be a leading person in the field of personal data protection in the enterprise of the entity by which he was appointed and take part in all matters in this area. The controller should, however, provide the inspector with all the support necessary to perform his tasks, including full access to personal data and processing operations. Moreover, the position of the data protection officer should be independent and he may report only to the highest management of the controller. Nor can he be bound by any instructions or punished for actions taken in the performance of his duties. Nothing should prevent him from implementing the GDPR directives.
Persons whose data is processed should be able to contact the inspector directly in all matters related to their data (including in connection with the exercise of their rights determined in GDPR).
GDPR imposes on the data protection officer an obligation to maintain confidentiality regarding the tasks performed. The inspector may also perform other duties in the company, but the controller should organize it in a way that there is no conflicts of interest.
The GDPR provides for five categories of tasks performed by the data protection officer:
- informing and advising the controller or the processor and the employees who perform processing, of their obligations pursuant to GDPR and to other Union or Member State data protection provisions;
- monitoring compliance with GDPR, other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- providing advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of GDPR;
- cooperating with the supervisory authority (in Poland with the President of the Personal Data Protection Office);
- acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of GDPR, and to consult, where appropriate, with regard to any other matter.
The above tasks should be performed by the data protection officer with due regard to the risks associated with processing operations as well as the nature, scope, context and purposes of the processing.
|↑1||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)|