The Article 29 Working Party Issues Final Guidelines on Data Protection Officers ("DPO")
At its plenary session on 5 April, the Article 29 Working Party ("WP29") approved revised guidance interpreting elements of the General Data Protection Regulation ("GDPR"), including on the appointment of data protection officers.
The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017. You can find our summary of the December 2016 highlights here.
Some of the new points raised by the WP29 in its final guidance are as follows:
1. Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime
When controllers and processors determine whether or not a DPO is required, they should keep a copy of their analysis in their records as this assessment falls within the scope of their wider accountability obligations.
The final guidelines provide that this evaluation (i) can be requested by the competent supervisory authority at any time and (ii) must be revisited every time new activities and services are contemplated. Given the increasing legal consequences that such analysis will create, controllers and processor are advised to proceed with care when making their DPO assessment.
2. No "a la carte" DPO appointments
When controllers and processors appoint a DPO (whether on a mandatory or voluntary basis), this person becomes responsible for all the processing activities carried out by the organisation.
It will therefore not be possible to circumscribe the role of the appointed DPO to only a portion of the organisation's activities and keep him away from the rest.
3. Big data now an example of 'regular and systematic monitoring'
As originally noted all forms of on-line tracking and profiling are called out as examples, including for the purpose of behavioural advertising and email retargeting.
The final guidelines go one step further and add a reference to "data-driven marketing activities" so as to catch for instance big data-style operations.
4. Preferably, the DPO should be located within this EU
The final guidelines suggest that this is indeed the way for controllers and processors to ensure that their DPO is accessible (unless those organizations have no presence within the EU and the DPO activities will be better carried out outside of the EU).
5. There can only be one DPO, but supported by a team
Although the final guidelines confirm that only one DPO can be appointed (preventing the "virtualization" of the role between various individuals), this person can receive help and support from a team. Multiple additions can be seen throughout the document to confirm this point.
This clarifies one point of the initial draft guidelines, which provided that the DPO must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities in the language or languages used by the supervisory authorities and the affected data subjects. This point had raised criticisms as it seemed to imply that the DPO must speak all EU languages. The amended guidelines now make it clear that such communications in the various EU languages can be done by the DPO "with the help of a team if necessary".
6. Duty to ensure the confidentiality of communications between the DPO and employees
The final guidelines confirm a need to put in place "secure means of communication" between employees and the (internal or external) DPO to ensure the confidentiality of their exchanges. This for instance would be ensured by the physical presence of the DPO on the premises of the employees or the establishment of a hotline. The suggestion here is that the secure means of communication must be free of monitoring technologies.
7. Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO
The GDPR does not restrict DPOs from holding other posts but expressly requires that controllers and processor ensure that such other tasks do not give rise to a conflict of interest for the DPO.
The final guidelines identify two groups of situations likely to generate conflict of interests:
- Internal appointment: DPOs having senior management positions (e.g. CEO, COO, CFO, Chief Medical Officers, Head of Marketing, HR or IT) will not be eligible for DPO positions. The same would be true for people having lower roles within the organization of the company if their roles lead to the determination of purposes and means of processing; and
- External appointment: If an external DPO (e.g. a lawyer) provides day-to-day DPO services to controllers or processor, this may prevent this individual from representing those entities before courts in cases involving data protection issues.
8. The GDPR does not prevent the DPO from maintaining records of processing
Under the GDPR, the DPO is not in charge of maintaining records of processing activities, whereas this is an important part of the DPO's current duties under local data protection laws in France and Germany. The amended guidelines now provide that nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controller or the processor. The amended guidelines also provide that such records should be considered as one of the tools enabling the DPO to perform its tasks of informing and advising the controller or the processor, and monitoring compliance with the Regulation.
The revised guidance on portability is available here (https://ec.europa.eu/newsroom/document.cfm?doc_id=44100)
Article 29 Working Party publishes guidance on DPO provisions of the GDPR
In February 2016, as part of its action plan of activities for the implementation of the General Data Protection Regulation ("GDPR"), the Article 29 Working Party ("A29WP") promised to publish guidance on the operation of the GDPR's provisions regarding the requirement for controllers and processors to appoint a Data Protection Officer ("DPO").
That guidance was published on 16th December - a copy is available here (the "Guidance").
Some of the key points raised by the A29WP in its Guidance are as follows:
1. When is a DPO appointment obligatory? - The Guidance unpacks some of the GDPR's terminology so it is worth starting with a reminder about when the Regulation says that a DPO appointment is obligatory. Three scenarios are mentioned (and the Guidance goes on to summarise what the words in bold/italics below mean), namely where:
i. Processing is carried out by a public authority (other than certain courts);
ii. The core activities of a controller or processor consist of processing which require:
a. regular and systematic monitoring of individuals on a large scale given their nature, scope, and/or purpose; or
b. large scale processing of sensitive data or criminal records; or
iii. A Member State's law requires a DPO to be appointed (likely in countries such as Germany).
- "Public authority": The Guidance says that each Member State's laws should define what constitutes a public authority, and also that bodies which are subject to public law should also fall within this definition. So providers of utility services, transport infrastructure and public broadcasting services in many countries are likely to have to appoint a DPO under the GDPR.
- "Core activities": Activities which are 'an inextricable part' of the controller's/ processor's pursuit of its goals are cited. Reassuringly the Guidance confirms that a company's processing of staff information (which will inevitably include sensitive data) is ancillary to its activities, not core. Examples of core activities given include, a security company's surveillance where it is hired to safeguard a public space, a hospital's processing of patient health data and an outsourced provider of occupational health services processing of employee data.
- "Regular and systematic monitoring": All forms of on-line tracking and profiling are called out as examples, including for the purpose of behavioural advertising and email retargeting. Other interesting examples cited include: scoring (e.g. for credit scoring, fraud prevention or for the setting of insurance premiums); location tracking; fitness and health data tracking; CCTV; and processing by connected devices (smart meters, smart cars etc.).
- "Large scale": The A29WP is not currently keen on precise numbers being used as a benchmark for this term, although the Guidance notes that plans are afoot to publish thresholds. Instead the Guidance lists some fairly obvious factors to be considered in defining large scale (e.g. the number of individuals affected and geographic extent of processing). Examples of large scale processing cited include: a bank or insurance company processing customer data; and processing of an international fast food chain's customer geo-location data in real time for statistical purposes by a specialist processor.
2. What about voluntary DPO appointments - The A29WP encourage these, although given the prescriptive nature of the requirements for the DPO role which the Guidance sets out (summarised below) it remains to be seen how comfortable organisations will be to follow this lead. The Guidance confirms that where a DPO is appointed on a voluntary basis the same requirements as set by the GDPR to mandatory DPO's will apply to them (e.g. regarding independence, freedom from unfair dismissal, obligation to publish their contact details etc.). Interestingly, the Guidance recommends that an organisation which decides not to voluntarily appoint a GDPR DPO documents why it think that it is not subject to the mandatory DPO appointment criteria (as summarised above).
3. Will DPOs be personally liable if their organisation fails to comply with the GDPR? - No. The Guidance is clear on this point. Controller and processor organisations are obliged to ensure that they comply with the GDPR not individual DPOs.
4. Can an external DPO be appointed? - Yes, so long as the GDPR's requirements including regarding impartiality, knowledge of the organisation to which the DPO is appointed and accessibility are met. The Guidance stresses that the terms of an external DPO's appointment should be clearly laid out in a service contract and that the external DPO's title, status, position and tasks be clearly agreed.
5. Can a group of companies appoint a single DPO? - Yes, again so long as the GDPR's requirements mentioned at 4) are met. The Guidance makes an interesting point in relation to accessibility. DPO's are required to be accessible to data subjects and regulators. The Guidance makes the point that this is will not be possible unless the DPO can communicate in the languages which the data subjects (for instance customers and staff) and regulators which the organisations which he/she represents are likely to speak. It seems that the A29WP expect DPOs in multi-national groups to be data protection experts and multi-linguists (or at least to have access to good translation mechanisms).
6. What skillsets are required of a DPO? - The Guidance repeats the list included within the GDPR (e.g. expert knowledge of data protection laws and practices). Interestingly it notes that a higher level of expertise is required the more complex and/ or sensitive the personal data which is processed by the organisation, or the greater the volume of data processed.
7. Publication of the DPO's contact details - This is required by the GDPR. The Guidance clarifies that the name of the DPO does not need to be made publicly available but that it should be published to all relevant regulatory authorities and members of staff. Other members of the public need only to be given sufficient information to enable communications to easily reach the DPO, e.g. a dedicated email address published on a website.
8. The DPO's role - The A29WP stress that organisations which appoint a DPO must ensure that the DPO is involved in all issues relating to data protection at the earliest stage and that the DPO's primary concern should be enabling GDPR compliance of the organisation. In so doing the DPO must be involved in key decisions (access to senior management is mentioned) and be given necessary resources (including support, budget, facilities and training). If a security breach occurs the Guidance says that the DPO must be promptly consulted.
9. What if management disagree with the DPO? - The Guidance states that no instruction must be given to the DPO regarding how to deal with a matter, what results should be achieved or whether or not to consult with a regulatory authority. As a matter of good practice, should management disagree with a DPO then the reasons for not following the DPO's advice should be documented. DPOs should not be dismissed or penalised (including indirectly via, for instance, prevention of career development) for performing their tasks - to do so would constitute a breach of the GDPR.
10. What about conflicts of interest? - The GDPR does not restrict DPOs from holding other posts but expressly requires that organisations ensure that such other tasks do not give rise to a conflict of interest for the DPO. The Guidance goes further and states that a DPO cannot hold a position which leads him/her to "determine the purposes and the means of the processing of personal data". It remains to be seen whether regulators feel that CISOs or CIOs can perform the DPO role.
What is a DPO?
A DPO is a person (either an employee or an external consultant) who is given formal responsibility for data protection compliance within a business. Under existing EU data protection law, the approach to DPOs varies from one Member State to the next. In most cases, it is not currently mandatory to appoint a DPO, although there are some EU Member States (e.g., Germany and Sweden) in which the decision to appoint a DPO has practical advantages (e.g., obviating the need to file a registration with the Data Protection Authority). As set out below, the GDPR will introduce significant new obligations which will require many businesses to appoint DPOs. The GDPR will also implement a much more formal framework around the roles and responsibilities of DPOs.
The obligation to appoint a DPO under the GDPR
Article 37(1) of the GDPR states that a DPO must be appointed if:
- the relevant data processing activity is carried out by a public authority or body;
- the core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale; or
- the core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.
The Guidelines provide a more detailed explanation of these concepts, enabling businesses to better understand their compliance obligations.
Appointing a DPO
Article 24(1) of the GDPR requires businesses to demonstrate that they are compliant with the requirements of the GDPR. The Guidelines therefore recommend that businesses should keep records of any decision to appoint, or not appoint, a DPO, and any analysis undertaken in connection with that decision.
The Guidelines provide further clarity on the key terms used in Article 37(1) of the GDPR:
- "Public authority or body": Any organisation that is a public authority or a public body must appoint a DPO. However, the GDPR does not define the expression "public authority or body". Rather, the GDPR leaves it to each EU Member State to determine which organisations are public authorities and public bodies. Where a private business performs outsourced public functions on behalf of a public authority or a public body, the WP29 recommends that that business should appoint a DPO, not merely in relation to those outsourced public functions, but also in relation to all of the other data processing activities of that business (including processing activities that are unrelated to the outsourced public functions).
- "Core activities": The meaning of this phrase is critical, because businesses are legally obliged to appoint a DPO if their "core activities" fall within the scope of Article 37(1) of the GDPR (set out above). The Guidelines make it clear that the term "core activities" refers to the key operations necessary to achieve the main objectives of the relevant business. For example:
- The processing of health data by a hospital is an operation that is necessary to achieve the hospital's main objectives, so all hospitals are likely to need to appoint DPOs.
- The processing of personal data in the context of internal IT services or payroll processing (which are ancillary activities, rather than inextricably linked to the main objectives of the relevant business) do not trigger the obligation to appoint a DPO, according to the Guidelines.
- "Large scale": Like "core activities", the phrase "large scale" is important in determining whether a business is required to appoint a DPO under Article 37(1) of the GDPR. The phrase "large scale" is not defined, but the Guidelines note that there are some cases that are clearly large scale (e.g., processing at a regional, national or international level) and some cases that are clearly not large scale (e.g., processing of personal data of an individual patient by a doctor). But most business activities will fall somewhere between these two extremes. The Guidelines recommend that businesses should consider the following factors in determining whether a given processing activity is "large scale" or not:
- the number of individuals affected (either in abstract, or as a percentage of the relevant population);
- the volume of data, and/or the number of categories of data, being processed;
- the duration or permanence of the processing activities; and
- the geographic scope of the processing activities.
- Examples of processing activities that are large-scale include:
- processing of patient data by a hospital in the regular course of business;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioural advertising purposes; and
- processing of data (content, traffic, location) by telephone or internet service providers.
- Examples of processing activities that are not large-scale include:
- processing of patient data by an individual physician; and
- processing of personal data relating to criminal offences by an individual lawyer.
As these examples illustrate, the threshold for appointing a DPO is relatively low.
Article 37(1) of the GDPR applies to businesses that act as controllers and businesses that act as processors (e.g., outsourced service providers). Even where a controller is obliged to appoint a DPO, a processor that carries out processing on behalf of that controller will need to do its own analysis, and will not necessarily have to appoint a DPO (and vice versa). Nevertheless, the Guidelines note that the appointment of a DPO by a processor may be good practice in any event.
- Appointing a DPO voluntarily: A business can choose to voluntarily appoint a DPO even if it is not legally obliged to do so. However, it is important to note that a business that appoints a DPO voluntarily must still comply with the full range of DPO-related compliance obligations, as if that appointment had been mandatory.
- Appointing a non-DPO to a data protection compliance role: Businesses that do not need to appoint a DPO may choose to appoint other staff to perform tasks relating to data protection compliance. Such staff should not be referred to as 'DPOs' or 'Data Protection Officers' (even informally) to avoid any risk of confusion and the aforementioned consequences of voluntarily appointing a DPO.
- Appointing a group DPO: A single DPO can be appointed for a corporate group (or several entities within a group) provided that he or she is easily accessible from each business location for which he or she is responsible (i.e., the DPO's contact details must be readily available, and it must be straightforward for individuals and Data Protection Authorities to contact the DPO). This also requires that the communication with the DPO may take place in the language used by the respective Data Protection Authorities and data subjects.
- Appointing DPO team: Depending on the size and structure of a business, it may be appropriate to appoint a team of individuals (a formal DPO and his/her staff) to fulfil the obligations of the DPO. If a business decides to adopt this approach, it will need to clearly set out the roles and responsibilities within that team, and designate a lead contact who is responsible for that team.
- Appointing an external DPO: A business may appoint an external contractor as its DPO (as opposed to an employee) provided that the external DPO has sufficient knowledge of the business and its data processing activities to fulfil the role. A team of individuals within an external service provider may also be able to fulfil the role of the DPO, again with a single individual acting as lead contact.
- Expertise and skills: A DPO must have suitable professional qualities and expert knowledge of data protection law, to fulfil the role. The required level of expertise will vary depending on the business - the more complex, or high-risk, the data processing activities are, the greater the expertise of the DPO will need to be.
- Independence of the DPO: The DPO must be autonomous (i.e., the business must not instruct the DPO on how to complete his or her tasks) and independent (i.e., he or she must avoid any conflict of interests). As a rule of thumb, most senior positions within a business are likely to conflict with the duties of the DPO (e.g., chief executive, chief operating, chief financial, chief medical officer; head of marketing; Head of HR or Head of IT). Businesses should create internal rules and safeguards to ensure that the DPO is able to act independently and without conflicts of interest.
- Protections for DPOs: To help ensure that DPOs are autonomous and independent, DPOs are protected under the GDPR from unfair dismissal / termination for reasons relating to their performance of the DPO role. A DPO who is an employee of the business may also benefit from the protections afforded by local employment law in some EU Member States, making it difficult for businesses to remove DPOs from their roles. For the avoidance of doubt, the GDPR does not protect a DPO from dismissal / termination for reasons that are not connected with their performance of the DPO role (e.g., theft, sexual harassment, gross misconduct, etc.) but businesses cannot remove a DPO merely because he or she adopts a risk-averse approach to data protection compliance. Consequently, it is vital for businesses to ensure that they select a suitable DPO. If a business appoints an external contractor as its DPO, the protections afforded by the GDPR also apply to such external contractor (e.g., no unfair termination of the service contract for activities as DPO).
- Role of the DPO: The business must involve the DPO from the outset in all issues relating to data protection compliance (e.g., by inviting the DPO to attend relevant meetings at which decisions about data processing are made). The business must provide the DPO with necessary resources to fulfil the DPO role (e.g., active support from senior management; if the DPO role is part-time, sufficient time to carry out his or her DPO responsibilities; continuous training; appropriate financial resources; etc.).
- Tasks of the DPO: The tasks of the DPO include monitoring the business's compliance with the GDPR, and advising the business on data protection issues. Additionally, the DPO has a role in carrying out data protection impact assessments ("DPIAs"). Where high-risk processing is contemplated, the business should actively seek advice from the DPO on conducting a DPIA. The DPO is supposed to take a risk-based approach, ensuring that high-risk processing activities are prioritised. Pursuant to the Guidelines, the business may also involve the DPO in other data protection related tasks such as maintaining the newly introduced record of processing operations.
- Accountability: The task of the DPO to monitor the business's compliance with the GDPR does not lead to individual liability of the DPO for non-compliance by the business. The business may disagree with the advice given by the DPO (e.g., in the context of a DPIA) and the business is not required to follow the DPO's advice. However, the Guidelines then require the business to document in writing the reasons for not following the DPO's advice.
Consequences for businesses
Businesses should consider carefully whether they are required to designate a DPO, bearing in mind that: (i) the Guidelines make it clear that all businesses should consider voluntarily appointing a DPO; and (ii) if a business chooses not to appoint a DPO the Guidelines recommend that the business maintains records of the reasons behind that decision to be able to demonstrate that all relevant factors have been properly considered. Businesses that appoint a DPO need to ensure that the DPO has access to all the resources and support necessary to fulfil the role, and ensure the DPO's independence and autonomy. This is particularly important where a single DPO is designated for a group of undertakings, as the challenges of this approach are much greater. If a business fails to fulfil its obligations regarding the appointment and support of a DPO, it may face fines under the GDPR up to a maximum of the greater of €10 million or 2% of worldwide turnover.
Furthermore, businesses need to ensure that an appropriate DPO is appointed, with the requisite expertise and knowledge. If the appointment of a DPO is delayed until enforcement of the GDPR begins, the business may find that there are no suitably qualified candidates available.
Meanwhile, despite the uncertainty over Brexit, the UK government has confirmed that the GDPR will apply in the United Kingdom from 25 May 2018. This means that UK businesses will be subject to the obligation to appoint a DPO, as set out above.
White & Case has produced a detailed GDPR Handbook that provides practical guidance on the impact of that legislation on businesses.