GDPR: The role of the DPO
The GDPR, whose rules take effect on 25 May 2018, foresees that in certain cases a Data Protection Officer, hereinafter referred to as DPO, must be appointed.
This DPO is appointed on the basis of his or her professional qualities and, in particular, on the basis of expertise in the field of data protection legislation and practice.
Moreover, the DPO must be able to fulfil a number of tasks, in particular:
- provide the controller(s), the processors and their appointees with advice and information regarding their obligations under the legal provisions on data protection;
- ensure compliance with the legal provisions on data protection and the policy of the controller or processor in this respect;
- cooperate with the supervisory authority (in Belgium this is the Privacy Commission);
- act as a point of contact for the supervisory authority;
- if requested, provide advice on the data protection impact assessment (i.e. a procedure to assess the risk that the processing of certain data will bring) and supervise its implementation.
In which cases is the appointment of such a DPO now mandatory?
First of all, this is the case when the processing is done by a government agency.
It is also mandatory for controllers or processors who are mainly responsible for processing that, due to its nature, scope or purposes, requires regular and systematic observation on a large scale of those involved.
Finally, controllers and processors who are mainly responsible for the large-scale processing of special categories of data (such as ethnic origin, biometrics, …) and personal data relating to criminal convictions and criminal offences must also comply with this obligation.
Since the description of the controllers and processors who are obliged to appoint a DPO is vague in the GDPR, a lot of criteria have been provided that need to be considered in order to check whether or not they are subject to the obligation, such as the number of subjects whose data is being processed, the duration of the processing activities, etc.
It is therefore appropriate for each company to check whether it must appoint a DPO for its specific case and for the specific context in which it carries out processing activities.
The Privacy Commission has indicated in the meantime that it considers the appointment of a DPO as a good practice, even if not mandatory.
It should be noted here that if you choose to appoint a DPO, you must comply with the same rules that apply if you were obliged to appoint one.
Furthermore, an employee of the company may be appointed as DPO. In such a case, it is not necessary for this person to perform the function full-time. Combining this with the exercise of another position is still possible under certain conditions.
The DPO must be involved in all matters relating to data protection, he must receive the necessary resources and support for the performance of his duties, he must be able to work independently, he may not be dismissed or ‘punished’ for the performance of his duties as DPO, and he may not have a conflict of interest.
This last requirement implies that the DPO at the company may not hold a position in which he determines the purpose and means of processing the data, whereby in principle persons with a position within the senior management (CEO, COO, CFO, CIO, …) would be excluded. This requirement must also be assessed in concrete terms, which means that certain other positions will also have to be excluded.
However, a company can also opt for the appointment of an external DPO. This can be a natural or a legal person. In the latter case, it must be clearly indicated which natural person will handle the DPO services and how he or she can be contacted.
In accordance with the recommendations of the Privacy Commission, it is therefore recommended to:
- document the choice and job description of the DPO;
- list the positions that are incompatible with the position of DPO;
- draw up internal rules to prevent conflicts of interest.