GDPR

The least we can say, is that Member States have struggled to agree on the assumptions in which the appointment of a data protection officer was required.

Initially, Article 37 of the proposed Regulation determines the conditions, under which a protection officer data had to be designated for both the public sector and the private sector, depending on either the number of employees or the fact that the processing involved regular and systematic observation of the data subjects, because of its nature, scope or purposes.

Instead of paragraph 1 of Article 37, the second proposed version of the regulation set out in a pithy way that the controller may or shall designate a data protection officer if the EU law or the law of a Member State so requires...

The final version of the Regulation has finally reintroduced three cases in which the designation of a data protection officer is mandatory:

- when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (Art. 37, paragraph 1, a);

- when the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37, paragraph 1, b);

- when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences (Art. 37, paragraph 1, c).

The Regulation provided then that a group of undertakings may also designate a single data protection officer. Such possibility is also available to the authorities and the public entities, taking into account their organizational structure and size (paragraph 3). The notion of a group of undertaking is to be understood "as a controlling undertaking and its controlled undertakings" (Art. 4 (19)).

The controller, the processor or associations or other bodies representing categories of controllers or processors may or, where required by the EU law or the law of a Member State, must designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

Paragraph 5 specifies the qualifications that the data protection officer must meet:

- he or she must have expert knowledge of data protection law and practices;

- be able to perform the tasks assigned by Article 39 (including in particular the awareness of workers of the protection of data, control on the processing compliance, correspondence with the national supervisory authority...).

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract (paragraph 6).

The Regulation also requires the controller - or the processor - to publish the contact details of the data protection officer and communicate them to the supervisory authority.

Direktivet

The Directive, in its Article 18, had introduced the possibility for the controller to designate a data protection officer. The designation of such an officer is then a condition for simplification, even derogation from the obligation of notification to the national supervisory authority.

Recital 49 stated that in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification where “a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects. Whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence”.

Utfordringer

The final text of this provision is the result of a compromise. The goal is to avoid the  administrative and organizational burden that was too heavy for small or medium-sized enterprises. The Member States were also notified on the possibility of extending the cases of designation.

 

However, to properly manage the obligations resulting from the Regulation, any enterprise must designate an internal controller that will not have a special status, which can impose difficulties, including as to its neutrality or ability to impose the necessary measures to ensure compliance of processing.

 

The cases of mandatory designations must be subject to interpretation of the Regulation that will not always be simple in practice.

 

Art. 29-arbeidsgruppen

Guidelines on Data Protection Officers (‘DPOs’) (5 april 2017)

(Endorsed by the EDPB)

The General Data Protection Regulation (‘GDPR’), due to come into effect on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts.

The concept of DPO is not new. Although Directive 95/46/EC did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years.

Before the adoption of the GDPR, the WP29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessments and carrying out or facilitating audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.

The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.

The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States. The WP29 will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

EU-domstolens praksis

C-92/09 ; C-93/09 (9 November 2010)

1.      Articles 42(8b) and 44a of Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy, as amended by Council Regulation (EC) No 1437/2007 of 26 November 2007, and Commission Regulation (EC) No 259/2008 of 18 March 2008 laying down detailed rules for the application of Regulation No 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD) are invalid in so far as, with regard to natural persons who are beneficiaries of EAGF and EAFRD aid, those provisions impose an obligation to publish personal data relating to each beneficiary without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof.

2.      The invalidity of the provisions of European Union law mentioned in paragraph 1 of this operative part does not allow any action to be brought to challenge the effects of the publication of the lists of beneficiaries of EAGF and EAFRD aid carried out by the national authorities on the basis of those provisions during the period prior to the date on which the present judgment is delivered.

3.      The second indent of Article 18(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not placing the personal data protection official under an obligation to keep the register provided for by that provision before an operation for the processing of personal data, such as that resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008, is carried out.

4.      Article 20 of Directive 95/46 must be interpreted as not imposing an obligation on the Member States to make the publication of information resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008 subject to the prior checks for which that Article 20 provides.

Opinion of Advocate general

Judgment of the Court