Over two years have passed since the highly debated General Data Protection Regulation (GDPR) came into effect on 25 May 2018. By updating its predecessor – the Data Protection Directive – it forcefully placed data protection on the compliance agenda in the European Union and generated greater awareness of privacy rights.  As a result, supervisory authorities have issued various data protection guidelines, promulgated good industry practices and issued fines for non-compliance. The media has focused on the ‘big’ breaches with the ‘big’ ticket fines; however, the authorities have been turning their attention more and more to the requirement of organizations to appoint a data protection officer (DPO) and related DPO compliance issues.

The regulation is clear; an organization is required to appoint a Data Protection Officer (DPO) when a) it is a public authority; or b) it carries out regular and systematic monitoring of data subjects on a large scale as a core activity; or c) as part of its core activities, carries out large scale processing of special categories of data or data relating to criminal convictions and offences. Article 37 (Designation of a DPO), Article 38 (Position of the DPO) and Article 39 (Tasks of the DPO) of the GDPR outline the requirements of the DPO. Subsequent guidance by the Article 29 Working Party (replaced by the European Data Protection Board), ‘Guidelines on DPOs’ provides further understanding of the DPO requirements and the necessity for the DPO to perform their duties and tasks in an independent manner. One of the most significant ethical guidelines, is that the nominated DPO cannot serve as a DPO while at the same time determine the purpose and means of data processing.

 

Failing to appoint a DPO

Under the GDPR there is a mandatory requirement for organizations to designate a DPO in certain circumstances. Within a commercial setting, most organizations will be looking at the mandatory requirement to appoint a DPO under Article 37(1)(b), that is, where the core activities of the controller or processor consist of the regular and systematic monitoring of data subjects on a large scale. Article 37(1)(c) makes it mandatory for organizations to appoint a DPO when they process special categories of data or criminal convictions on a large scale.

In June 2020, the Spanish Data Protection Authority imposed an administrative fine for €25,000 on Glovo for failing to appoint a DPO. One of the arguments brought forward by Glovo was that the organization had established a Data Protection Committee, which in practice carried out the functions of the DPO. Glovo also appointed a DPO once it became subject to regulatory investigations. However, the existence of the Data Protection Committee and the retrospective appointment of a DPO did not appease the regulator. At the time of the imposed fine the company’s website did not contain information about an appointed DPO. The fine is subject to appeal.

 

Failing conflict of interests

Article 38 states that the DPO must be independent and free from conflict of interests and  Article 39 outlines the main tasks of the DPO. Similarly, the ‘Guidelines on DPOs,’ make it clear that conflicts of interests could occur and as a rule of thumb, conflicting positions within the organization may include senior management positions such as C-suites and heads of departments.

It is not just Spain that is focusing on the conflicting role of the DPO.  On 28 April 2020, the Belgium Data Protection Authority (BDPA) imposed an administrative fine on Proximus SA for €50,000 for appointing the Director for Audit, Risk and Compliance as the DPO and the dual role resulted in conflicts of interests. Proximus SA argued that the DPO’s additional responsibilities were advisory and did not entail making decisions about the purpose and means of data processing. However, the BDPA noted that the DPO did more than advisee as the audit role involved significant ‘operational’ oversight for various types of processing. Clearly a dual role which involves ‘self-monitoring’ does not equate to an ‘independent DPO’ and a conflict of interest scenario will present itself.

Failing to nominate a DPO where one is mandatory and dealing with conflict of interests are not the only issues that regulators will look at. Organizations will also need to communicate the appointment of their DPO to the relevant supervisory authorities.

 

Failing to notify a DPO

In December 2019, The Hamburg supervisory authority fined Facebook Germany GmbH €51,000 for breach of Article 37(7) of the GDPR. Article 37(7) requires a controller or processor to publish the contact details of the DPO and communicate them to the supervisory authority. Through a complaint, the supervisory authority was made aware that Facebook had failed to communicate the contact details of the DPO to the Hamburg supervisory authority.  Facebook had already appointed a DPO for all EEA subsidiaries in Ireland and had notified the appointment to the Irish supervisory authority. Facebook cooperated with the supervisory authority and accepted the fine.

The decision by the Hamburg supervisory authority shows that whether a single EU DPO has been appointed and communicated to a designated supervisory authority, organizations must also notify an EU DPO’s appointment to all relevant supervisory authorities in all locations of a group.

 

Preventative measures

These three cases show that the role of the DPO is not just a requirement on paper. The DPO is an important element of GDPR compliance and the data protection authorities across Europe are enforcing the proper implementation of this role. It is advisable that organizations properly assess whether or not they are required to appoint a DPO. If the answer is yes, organizations should be careful to choose a person with no conflicts of interests. Some organizations opt for an outsourced DPO that have the technical skills and is free of conflicts of interests. Finally, the DPO should be properly registered in the jurisdictions where the organization operates. As an organization grows and changes it is important to reassess if new personal data processing triggers a mandatory DPO appointment and the appointment is communicated to the relevant supervisory authorities.