Data Protection Officer
Who is obliged to appoint a DPO?
Both the controllers and the processors may be obliged to appoint a DPO. The mandatory designation is required in the following cases: public authority (irrespective of what categories of data are being processed), controllers and processors with a core business which implies a regular and systematic monitoring of data subjects on a large scale or processing of special categories of data or data relating to criminal convictions and offences. Therefore, controllers and processors which are not public bodies need to take into account: core business, regular and systematic monitoring, large scale, category of personal data.
Is a hospital obliged to appoint a DPO? And an individual physician?
The core activity of a hospital is to provide health care; therefore, processing health data forms an inextricable part of the controller’s activity. A hospital must appoint a DPO. Besides, processing health data is carried out on a large scale, which is another condition which entails the mandatory appointment of a DPO. An individual physician or specialist processes patients’ health data as a core activity but not on a large scale, therefore the designation of a DPO is not required.
Does processing employees’ health data require the appointment of a DPO?
It is not required, because such processing is not the core business, but it is only necessary and essential, and, therefore, it is usually considered an ancillary function rather than the core business. It is an activity of support for the core activity or main business of a company, not-for-profit organisation or economic operator. Besides, processing is not carried out on a large scale.
Is the DPO personally responsible for non-compliance with the GDPR?
The DPO is not personally responsible for non-compliance with the requirements of the GDPR. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Data protection compliance is the responsibility of the controller or the processor.
What does conflict of interests mean?
The GDPR requires that the tasks and the skills of the DPO should not result in a conflict of interests. This means, first, that the DPO cannot hold a position which leads the DPO to determine the purposes and the means of data processing. As a rule of thumb, conflicting positions may include management positions (e.g.: chief executive, chief operating, chief financial and HR, head of marketing department, head of IT department) but also other roles lower down in the organisational structure if such positions lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise if an external DPO is asked to represent the controller or processor before the courts in cases involving data protection issues.
What does performing tasks in an independent manner mean?
There are several safeguards which ensure that the DPO acts in an independent manner. Here are some guidelines. The DPO should receive no instructions by the controller or the processor regarding the exercise of the DPO’s tasks. There should be no dismissal or penalty by the controller or by the processor for the performance of the DPO’s tasks and no conflict of interests with possible other tasks and duties which are performed by the DPO.
To whom shall the DPO report?
The DPO shall directly report to the highest management level of the controller or the processor.
Which DPO’s contact details should be published?
The contact details of the DPO should include information allowing data subjects and the supervisory authorities to easily and directly reach the DPO (a postal address, a dedicated telephone number, and/or a dedicated e-mail). The GDPR does not require to publish the name of the DPO: it is for the controller or the processor and the DPO to decide whether this is necessary or helpful.
If the controller is obliged to appoint a DPO, is the processor obliged to appoint a DPO too?
Not necessarily. It depends on who fulfils the criteria of a mandatory appointment. In some cases, only the controller or only the processor, in other cases both the controller and its processor are required to appoint a DPO (who should cooperate). It is important to highlight that even if the controller fulfils the criteria of mandatory designation, its processor is not necessarily required to appoint a DPO. This may, however, be a good practice.
When the DPO is appointed on a voluntary basis, what criteria should be respected?
When the DPO is appointed on a voluntary basis, the requirements under the GDPR will apply to the designation, position and tasks as if the designation had been mandatory (e.g.: assessment of professional qualities, written appointment, publication of the DPO’s contact details for data subjects and communication to the supervisory authority).