When an organisation appoints a Data Protection Officer whether on a voluntarily basis or because its processing activities meet the criteria set out in the GDPR (see here, for more details), it should pay attention to the following points at the time of the DPO’s appointment:
The contractual relationship between the DPO and the Controller or Processor
The skills and level of expertise of the DPO
The position of the DPO within the company organisation and the resources to be allocated
1. Contractual relationship between the DPO and the controller(s) or processor(s)
The data protection officer may:
– be a staff member of the controller or processor, or fulfill his/her tasks on the basis of a service contract;
– work as part of a team or alone depending on the needs;
– perform their tasks on a full or part time basis and be in charge of other activities. However, conflict of interest of any kind must be avoided (e.g. it should never be in a position to determine the means and the purposes of a processing carried out by the company).
Furthermore it is possible to appoint one DPO for several undertakings in the following cases:
– a group of undertakings (e.g. a group of companies) as long as (s)he is easily accessible from each establishment.
– Public authorities or bodies taking into account their organisational structure and size.
– Entity representing categories of controllers or processors
2. Skills and Expertise of the DPO
The level of expertise required is not defined in the GDPR and should vary depending on the complexity of the organisation and more particularly of the kind of data processing activities.
It is expected that the DPO have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR.
It should also have sufficient knowledge of the business sector and of the organization of the controller or the processor as well as good understanding of the processing operations it carries out including its information system and its data security as well as its data protection needs.
Where (s)he is appointed by a public authority or body, the DPO should also have knowledge of the administrative rules and procedures of the organisation.
3. Position and Resources of the DPO
According to article 38 GDPR, the DPO must be involved in all issues relating to the protection of personal data.
In this regard, necessary resources must be allocated to enable the DPO to fulfill their mission. In practice, it is expected that DPOs receive active support by senior management, sufficient time, financial resources, infrastructure and staff where appropriate as well as continuous training.
The DPO should act in an independent manner and it is required that they should not receive any instructions regarding the exercise of their tasks. As a result, it is not possible to impose penalties (from dismissal to a mere threat) on the DPO as result of the DPO carrying out their duties.
Furthermore, the Belgium supervisory authority ruled that a DPO could not be simultaneously head of another service (see here for more details about the decision).
If you have any question, do no hesitate to contact Arnaud Blanc, French and UK qualified lawyer based in France.