The General Data Protection Regulation (GDPR) has established the concept of a Data Protection Officer (DPO) in Europe. Contrary to popular belief, decisive for the legal obligation to appoint a Data Protection Officer is not the size of the company but the core processing activities which are defined as those essential to achieving the company’s goals. If these core activities consist of processing sensitive personal data on a large scale or a form of data processing which is particularly far reaching for the rights of the data subjects, the company has to appoint a DPO. Public bodies on the other hand always have to appoint a DPO, with the exception of courts who are acting in their judicial capacity. In addition, the legal norm to appoint a Data Protection Officer has a flexibility clause for Member States. These are free to decide whether a company has to appoint a Data Protection Officer under stricter requirements (e.g. Section 38 German Federal Data Protection Act). If such an obligation exists under the General Data Protection Regulation or a more specific national law, a group of undertakings can also appoint a single Data Protection Officer. If the group decides to do so, he must be easily accessible for the supervisory authorities, employees and external data subjects. If no legal obligation exists, companies can appoint a DPO on a voluntary basis to help with data protection compliance (which is for example recommended by the French data protection authority CNIL).
Groups and companies have two possibilities to meet their obligation to appoint a Data Protection Officer. Either they name an employee as an internal Data Protection Officer, or they appoint an external Data Protection Officer. In selecting such a person, they must ensure that an internal Data Protection Officer is not subject to a conflict of interest due to his work in the IT Department, HR Department or senior management, where he would have to supervise himself. Regardless of which option is chosen, a Data Protection Officer must provide expert professional knowledge in data protection law and IT security, the scope depending on the complexity of data processing and the size of the company.
The duties of a Data Protection Officer include: Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities. Therefore, the employee acting as Data Protection Officer must not be dismissed or penalised due to his fulfilment of his tasks. Despite his monitoring function, the company itself remains responsible for complying with data protection laws. Therefore it has to involve the Data Protection Officer in all issues which relate to the protection of personal data “properly and in a timely manner”. When a Data Protection Officer is appointed, his superior must publish his contact data, and communicate his appointment and contact data to the data protection supervisory authorities. If a company voluntarily appointed a DPO they also must adhere to the criteria and provisions laid out above. Also note that the willful or negligent failure to appoint a Data Protection Officer despite a legal obligation is an infringement subject to fines.