Key References

Mandatory DPO:

  • Art. 37 introduces a new requirement to appoint a mandatory DPO in certain circumstances.
    • obligation to appoint a DPO on controllers and processors;
    • all public authorities processing personal data require a DPO;
    • for private sector the criteria to appoint a DPO: where core activities consist of regular and systematic monitoring of data subjects on a large scale, or processing special categories of personal data on a large scale.
  • GDPR does not define ‘core activities’, ‘large scale’, or ‘regular and systematic monitoring’ the way it explains ‘special categories’ (Art. 9).
  • WP29 Guidelines on DPO clarify Art. 37 requirements as follows:
    • ‘core activities’: WP29 states that,
      • “‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals … the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” See sec. 2.1.2
    • ‘large scale’: WP29 states that while the GDPR does not define the term large scale, recital 91 provides guidance on it. WP29 Guidance offers the below factors to determine when processing is large scale:
      • The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
      • The volume of data and/or the range of different data items being processed
      • The duration, or permanence, of the data processing activity
      • The geographical extent of the processing activity.
      • WP29 Guidance offers the following examples that constitute large scale processing:
        • processing of patient data in the regular course of business by a hospital
        • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
        • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
        • processing of customer data in the regular course of business by an insurance company or a bank
        • processing of personal data for behavioural advertising by a search engine
        • processing of data (content, traffic, location) by telephone or internet service providers
      • WP29 Guidance offers the following examples that do not constitute large-scale processing:
        • processing of patient data by an individual physician
        • processing of personal data relating to criminal convictions and offences by an individual lawyer. See sec. 2.1.3.
    • ‘regular and systematic monitoring’:
      • WP29 explains ‘monitoring’ by pointing to recital 24 and states that it “clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising“.
      • WP29 explains ‘regular’ to mean:
        • ongoing or occurring at particular intervals for a particular period, or
        • recurring or repeated at fixed times, or
        • constantly or periodically taking place.
      • WP29 explains ‘systematic’ to mean:
        • occurring according to a system, or
        • pre-arranged, organised or methodical, or
        • taking place as part of a general plan for data collection, or
        • carried out as part of a strategy.
      • WP29 offers the following examples of activities that constitute regular and systematic monitoring: email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc. See sec. 2.1.4

Qualifications for a DPO

  • Art. 37(5), Art. 38, and Recital 97 require that the DPO must have the below skills and qualifications:
    • expert knowledge of data protection law and practices;
    • ability to fulfil Art. 39 tasks;
    • independence;
    • necessary resources;
    • report to the highest management level in the organization;
    • no conflicts of interest between the DPO position and other roles.
  • Art . 37(7) states that organizations are required to publish contact details of DPO (principle of transparency for data subjects), and also provide DPO information to relevant supervisory authorities.

Tasks of the DPO

  • Art. 39 enumerates the tasks of a DPO which include:
    • informing and advising controllers or processors and their employees of obligations under the GDPR,
    • monitoring organization’s compliance with the GDPR,
    • advising organizations on DPIAs,
    • cooperating with relevant supervisory authority,
    • on behalf of the organization, act as contact point for supervisory authority.
  • WP29 provides further guidance on DPO tasks and states that Art. 39(1) tasks must be viewed as a minimum, and the controller or the processor may assign the DPO with additional tasks such as record-keeping requirements under Art. 30 which the GDPR has allocated to controllers and processors. See sec. 4.5.
  • WP29 also states that DPOs may not be held personally responsible for non-compliance with the GDPR.