Article 37
Designation of the data protection officer

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 37 keyboard_arrow_down Hide the recitals of the Regulation related to article 37 keyboard_arrow_up

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner

Show the recitals of the Directive related to article 37 keyboard_arrow_down Hide the recitals of the Directive related to article 37 keyboard_arrow_up

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(54) Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;

The GDPR

The least we can say, is that Member States have struggled to agree on the assumptions in which the appointment of a data protection officer was required.

Initially, Article 37 of the proposed Regulation determines the conditions, under which a protection officer data had to be designated for both the public sector and the private sector, depending on either the number of employees or the fact that the processing involved regular and systematic observation of the data subjects, because of its nature, scope or purposes.

Instead of paragraph 1 of Article 37, the second proposed version of the regulation set out in a pithy way that the controller may or shall designate a data protection officer if the EU law or the law of a Member State so requires...

The final version of the Regulation has finally reintroduced three cases in which the designation of a data protection officer is mandatory:

- when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (Art. 37, paragraph 1, a);

- when the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37, paragraph 1, b);

- when the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences (Art. 37, paragraph 1, c).

The Regulation provided then that a group of undertakings may also designate a single data protection officer. Such possibility is also available to the authorities and the public entities, taking into account their organizational structure and size (paragraph 3). The notion of a group of undertaking is to be understood "as a controlling undertaking and its controlled undertakings" (Art. 4 (19)).

The controller, the processor or associations or other bodies representing categories of controllers or processors may or, where required by the EU law or the law of a Member State, must designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

Paragraph 5 specifies the qualifications that the data protection officer must meet:

- he or she must have expert knowledge of data protection law and practices;

- be able to perform the tasks assigned by Article 39 (including in particular the awareness of workers of the protection of data, control on the processing compliance, correspondence with the national supervisory authority...).

The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract (paragraph 6).

The Regulation also requires the controller - or the processor - to publish the contact details of the data protection officer and communicate them to the supervisory authority.

The Directive

The Directive, in its Article 18, had introduced the possibility for the controller to designate a data protection officer. The designation of such an officer is then a condition for simplification, even derogation from the obligation of notification to the national supervisory authority.

Recital 49 stated that in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification where “a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects. Whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence”.

Potential issues

The final text of this provision is the result of a compromise. The goal is to avoid the  administrative and organizational burden that was too heavy for small or medium-sized enterprises. The Member States were also notified on the possibility of extending the cases of designation.

 

However, to properly manage the obligations resulting from the Regulation, any enterprise must designate an internal controller that will not have a special status, which can impose difficulties, including as to its neutrality or ability to impose the necessary measures to ensure compliance of processing.

 

The cases of mandatory designations must be subject to interpretation of the Regulation that will not always be simple in practice.

 

Summary

European Union

European Union

Comité européen de la protection des données

Designation and Position of Data Protection Officers (16 January 2024) - (english)

In October 2020, the European Data Protection Board (EDPB) decided to set up a Coordinated Enforcement Framework (CEF) with a view to streamlining enforcement and cooperation among supervisory authorities, consistently with the EDPB 2021-2023 Strategy. A first CEF was conducted in 2021 on the Use of Cloud Services by Public Bodies. For the second CEF, the EDPB selected in September 2022 'the Designation and Position of Data Protection Officers' for its 2023 Coordinated Enforcement Action. Throughout 2023, 25 supervisory authorities (‘SAs’) across the EEA launched coordinated investigations into the role of Data Protection Officers (‘DPOs’). The CEF was implemented at national level in one or several of the following ways: (1) fact-finding exercise, (2) questionnaire to identify if a formal investigation is warranted, and/or (3) commencement of a formal enforcement investigation, or follow-up of ongoing formal investigations. Between November 2022 and February 2023, these supervisory authorities discussed the aims and the means of their actions in the context of the CEF. In this context, the SAs drafted a questionnaire in a neutral way so that it would be possible for either the controller/processor or the DPO to fill it in. While doing this, they ensured that it would be possible for SAs to adjust the questionnaire or to draft their own, based on (or inspired by) the commonly drafted questionnaire.

The present report aggregates the findings of all the supervisory authorities participating in the CEF. Particular attention is paid to challenges identified by supervisory authorities and/or respondents during the CEF action. These include issues such as insufficient resources allocated to DPOs, insufficient expert knowledge and training of DPOs and risks of conflicts of interests. This report provides, among other things, a list of recommendations that organisations, DPOs and/or SAs may take into account to address the challenges identified, without prejudice to the provisions of the GDPR/EUDPR and the powers of supervisory authorities

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Data Protection Officers (‘DPOs’) - wp243rev.01(5 april 2017)

(Endorsed by the EDPB)

The General Data Protection Regulation (‘GDPR’), due to come into effect on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts.

The concept of DPO is not new. Although Directive 95/46/EC did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years.

Before the adoption of the GDPR, the WP29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessments and carrying out or facilitating audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.

The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.

The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States. The WP29 will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-92/09 ; C-93/09 (9 November 2010) - Volker und Markus Schecke et Eifert

1.      Articles 42(8b) and 44a of Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy, as amended by Council Regulation (EC) No 1437/2007 of 26 November 2007, and Commission Regulation (EC) No 259/2008 of 18 March 2008 laying down detailed rules for the application of Regulation No 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD) are invalid in so far as, with regard to natural persons who are beneficiaries of EAGF and EAFRD aid, those provisions impose an obligation to publish personal data relating to each beneficiary without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof.

2.      The invalidity of the provisions of European Union law mentioned in paragraph 1 of this operative part does not allow any action to be brought to challenge the effects of the publication of the lists of beneficiaries of EAGF and EAFRD aid carried out by the national authorities on the basis of those provisions during the period prior to the date on which the present judgment is delivered.

3.      The second indent of Article 18(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not placing the personal data protection official under an obligation to keep the register provided for by that provision before an operation for the processing of personal data, such as that resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008, is carried out.

4.      Article 20 of Directive 95/46 must be interpreted as not imposing an obligation on the Member States to make the publication of information resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008 subject to the prior checks for which that Article 20 provides.

Opinion of Advocate general

Judgment of the Court

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 37

1.   The controller and the processor shall designate a data protection officer in any case where:

a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

2.   A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3.   Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4.   In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5.   The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6.   The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7.   The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

 

 

1st proposal close

Art. 35

1.           The controller and the processor shall designate a data protection officer in any case where:

(a)     the processing is carried out by a public authority or body; or

(b)     the processing is carried out by an enterprise employing 250 persons or more; or

(c)     the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

2.           In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer.

3.           Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.

4.           In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.

5.           The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

6.           The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.

7.           The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.

8.           The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.

9.           The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.

10.         Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.

11.         The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.

2nd proposal close

Art. 35

1. The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer (...).

2. A group of undertakings may appoint a single data protection officer.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. (...).

5. The (...) data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37, particularly the absence of any conflict of interests. (...).

6. (...)

7. (...). During their term of office, the data protection officer may, apart from serious grounds under the law of the Member State concerned which justify the dismissal of an employee or civil servant, be dismissed only if the data protection officer no longer fulfils the conditions required for the performance of his or her tasks pursuant to Article 37.

8. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

9. The controller or the processor shall publish the contact details of the data protection officer and communicate these to the supervisory authority (...).

10. Data subjects may contact the data protection officer on all issues related to the processing of the data subject’s data and the exercise of their rights under this Regulation.

11. (...)

Directive close

Art. 18 

(...)

2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions:

- where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or

- where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

close