The designation of a Data Protection Officer (DPO) is either mandatory or voluntary depending on the kind of processing carried out by a company and concern both data controllers and data processors.
According to article 37 (1) of the new data protection regulation (GDPR) the designation of a DPO is required in three specific cases :
Where the processing is carried out by a public authority or body (case 1)
Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (case 2) ; or
Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.(case 3)
Even though the designation of a DPO is not mandatory, it is recommended to document the analysis to determine whether or not a DPO is to be appointed
Therefore each company should go through this analysis and be able to explain why it has not appointed a data protection officer.
1.Public authorities and bodies must appoint a DPO (Case 1)
Where a data controller or processor is a public authority or body, it must appoint a DPO irrespective of the kind of data processing carried out.
« Public authority or body » is not defined in the GDPR and therefore national laws should define the notion.
However, « Public authorities or body » should include national, regional and local authorities but, subject to Member States law, it may also include a range of other bodies governed by public law.
Even though it is not mandatory, the authorities (WP29) recommends that a DPO be appointed where legal or natural persons governed by public or private law carry out public task or exercise public authority.
Depending on the Member States law, these service may be public transport services, water and energy supply, road infrastructure, public service boradcasting , public housing or disciplinary bodies for regulated professions.
Where a data controller or processor is not a public body or authority, it may be required to appoint a DPO if its processing activities meet the conditions of case 2 or 3.
2. Other kind of organisations must appoint a DPO if their processing activities meet 2 conditions (case 2 & 3)
For a controller or processor to have to appoint a DPO, its core activities must consist of processing operations on a large scale (case 2 & 3 : first condition)
Then either its data processing activities require a “regular and systematic monitoring of individuals” (case 2) or concern “special categories of data and data relating to criminal convictions and offenses” (case 3) (= Second condition)
If the first first condition and one of the specific criteria of the second condition are met, a DPO is to be appointed.
2.1. First condition: their “core activities” must consist of processing operations on a “large scale”
2.1.1. « core activities »
The GDPR defines « core activities » as primary activities and do not relate to the processing of personal data as ancillary activities.
It is the key operations necessary to achieve the controllers’ or processor’s goals.
This should include activities where the processing of data is an inherent part of the controller’s or processor’s activity (e.g. hospital needs to process health data to provide medical services ; security company carrying out surveillance needs to process personal information for security purpose).
However, support functions for the organisation’s core activity should be excluded (e.g. payroll, IT support etc.)
2.1.2. « Large scale »
There is no specific threshold provided in the GDPR and maybe with time, it will possible to determine specifically what « large scale » is in each case.
In the meantime, the WP29 recommends taking in consideration the following factors :
- The number of data subjects concerned (either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration or permanence of thedata processing activity
- The geographical extent of the processing activity
The WP29 has provided some examples of what “large scale” processing could be in practice:
- Processing of patient data in the regular course of business by a hospital
- Processing travel data of indiviudals using a city’s public transport system
- Processing of customer data in the regular course of business by an insurance company or a bank
- Processing of personal data for behvioural advertising by a search engine
Therefore large scale processing can go from a hospital to a national or international business.
However, small business should not be concerned by the large scale processing criteria.
2.2. Second Condition : these activities must required “regular and systematic monitoring” or concern “special categories of data”
2.2.1. “regular and systematic monitoring” (Case 2)
« Monitoring the data subjects » is all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
However it should not be limited to online environment, all kind of monitoring being relevant.
The words regular and systematic should be defined as follows:
« Regular » :
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place
« Systematic »:
- Occuring according to a system
- Pre-arranged, organised or mehtodoical
- Taking place as part of a general plan for data collection
- Carried out as part of strategy
Providing telecommunication services or network, email retargeting, profiling and scoring for risk assessment purpose, location tracking ; loyalty programs, behavioural advertsing etc.
2.2.2. Special categories of personal data and data relating to criminal convictions and offences (case 3)
Data controller or processor must process data relating to health, sexual orientation, religion, political opinion etc. as set out in article 9 of the GDPR as well as data relating to criminal convictions and offences as set out in article 10 of the GDPR.
Processing one kind of these data is sufficient to meet this criteria.
Where all the criteria specific to each case are met, a DPO is to be appointed by the data controller and/or processor.
3. How do these provisions apply when only the processor meets the criteria?
It may happen that a controller does not meet the criteria while the processor meet all of them and therefore is required to appoint a DPO.
For example, family business uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertising and marketing.
The processor, if it has many customers, will be processing personal information on a large scale and its core activity is to regularly monitor data subject. Therefore the processor should appoint a DPO while the controller should not (i.e. family business)