The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.
Who is the Data Protection Officer?
The Data Protection Officer, more commonly known as the DPO, is appointed by the controller or processor and mainly plays a dual role: firstly, he/she is entrusted with the duty of monitoring and overseeing compliance with the GDPR within the organisation of the person who has appointed him/her; secondly, he/she acts as a point of contact between the organisation and GDPR authorities and interfaces with data subjects.
When should a DPO be appointed?
The appointment of the DPO is mandatory (Art. 37) when: a) the processing is carried out by a public authority or body (except judicial authorities); b) the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or processor consist of processing on a large scale of sensitive data (e.g. data relating to health, genetic data, biometric data, data relating to criminal offences or data relating to minors). However, Union or Member state law can provide for further cases of mandatory appointment.
Apart from these cases, the appointment of a DPO is discretionary but still strongly recommended, given the importance of the role in assisting and supporting compliance with the GDPR.
What skills are required to be appointed as DPO?
The DPO must have significant specialist knowledge commensurate with the sensitivity, complexity and amount of data processed by an organisation. In particular, he/she must have full command of national and European data protection laws and practices and be thoroughly knowledgeable of the GDPR as well as of the business sector and the controller’s organisation.
Lastly, he/she must have a significant degree of familiarity with the processing operations carried out, as well as the IT systems and data security and data protection needs of the controller.
What tasks does the DPO have?
Beside the roles of internal coordination and external contact point, the DPO will take charge of the ongoing (awareness-raising and) training of the controller’s or processor’s staff in the field of data protection, monitor compliance with the GDPR and play an advisory role, giving advice upon request on data protection impact assessments (DPIAs) and monitor their performance. This task list is by no means complete and the controller or processor may decide to assign further tasks to the DPO, such as for example the task of maintaining the record of processing activities.
Can the role of DPO be allocated to an employee of the controller/processor?
The controller or processor can either decide to appoint an internal member of staff of their own organisation as DPO (a new or existing staff member) or to contract the role externally (by means of outsourcing or a service contract). In both cases, the controller or processor must ensure that the DPO is in the position to be able to perform his/her duties and tasks in an independent manner and that any such tasks and duties do not give rise to a conflict of interest. For this reason, the controller and processor must ensure that the DPO does not receive any instructions and that he/she will not be dismissed or penalised for performing his/her tasks.
Can the DPO have his/her own team?
The controller or processor must provide all resources necessary for the DPO to be able to carry out his/her tasks, such as sufficient time, adequate financial resources, infrastructure (premises, facilities, equipment) and staff. The DPO can also have his/her own team to help him/her in performing his/her tasks. In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up and there should be a designated lead contact.
Who is responsible for non-compliance with the GDPR ?
The DPO is not personally responsible for non-compliance with the GDPR during processing. Only the controller and the processor are responsible for any non-compliance with the Regulation when performing processing.
Is the controller/processor required to publish and communicate the DPO’s appointment?
The appointment of the DPO must be published and communicated both inside and outside the organisation of the controller or the processor. In particular, contact details of the DPO, such as for example a postal address, a dedicated telephone number, and/or a dedicated e-mail address (and possibly a dedicated contact form) should be published on the controller’s or processor’s website. The same contact details will be communicated to the relevant supervisory authority and to data subjects with the privacy notice (see, the first FAQ on privacy policies “link”).
Focus: the “large scale” concept
The GDPR does not define what large scale processing is. Working Party Art. 29, offers some criteria in order to clarify the concept in its Guidelines on DPOs of 5th April 2017 . When determining whether the processing is carried out on a large scale, the following factors can be considered:
• The number of data subjects concerned-either as a specific number or as a proportion of the relevant population;
• The volume of data and/or the range of different data items being processed;
• The duration, or permanence, of the data processing activity;
• The geographical extent of the processing activity.
Examples of large-scale processing include:
• processing of patient data in the regular course of business by a hospital;
• processing of travel data of individuals using a city’s public transport system (e.g. tracking via
• processing of customer data in the regular course of business by an insurance company or a bank.