The designation of a Data Protection Officer (DPO) is either mandatory or voluntary depending (i) on the kind of organisation, (ii) its activities and/or (iii) the type of processing operations it carries out (e.g. scale, type of data etc.).
According to article 37 (1) of the General Data Protection Regulation (GDPR) the designation of a DPO is required in three specific cases:
Where public authority or body carries out processing operations (case 1);
Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (case 2); or
Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. (case 3)
Organisations should also keep a record of their decision including their reasoning, especially when they decide not to appoint a DPO.
1. Public authorities and bodies must appoint a DPO (Case 1)
Where a data controller or processor is a public authority or body, it must appoint a DPO if it processes personal data.
« Public authority or body » is not defined in the GDPR. It is, therefore, necessary to refer to Member States laws in order to determine whether an organisation is a public authority or body.
However, « Public authorities or body » should include national, regional and local authorities and, subject to Member States law, it may also include a range of other bodies governed by public law.
Whilst this is not required by the GDPR, the authorities (EDPB) recommends that a DPO be appointed where legal or natural persons, governed by public or private law, carry out a public task or exercise public authority.
These public task or public authority may include public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.
2. Other organisations must appoint a DPO only if their processing activities meet two conditions (cases 2 & 3)
A controller or processor must appoint a DPO when:
– its core activities consist of processing operations on a large scale (first condition); and
– requires a “regular and systematic monitoring of individuals” (case 2); or
– entails the processing of “special categories of data or data relating to criminal convictions and offences” (case 3)
2.1. First condition: their “core activities” must consist of processing operations on a “large scale”
2.1.1. What are « core activities »?
According to the GDPR, « core activities » are the primary activities of the controller or processor.
They should be the key operations necessary to fulfil the controller or processor’s goals and be an inherent part of the controller or the processor’s activity.
For example, a hospital needs to process health data to provide medical services; a security company needs to process individuals’ personal information for surveillance purpose.
However, are excluded support functions for the organisation’s core activity (e.g. payroll, IT support etc.)
2.1.2. When is a data processing carried out on a « large scale »?
The GDPR does not provide for a specific definition of “large scale”.
However, the EDPB recommends taking in consideration the following factors:
– The number of data subjects concerned (either as a specific number or as a proportion of the relevant population;
– The volume of data and/or the range of different data items processed;
– The duration or permanence of the data processing activity;
– The geographical extent of the processing activity;
The EDPB has provided examples of what processing operations on a “large scale” could be in practice:
– Processing of patients’ data in the regular course of business by a hospital;
– Processing travel data of individuals using a city’s public transport system;
– Processing of customers’ data in the regular course of business by an insurance company or a bank;
– Processing of personal data for behavioural advertising by a search engine company.
Comments: The suggested examples may appear inconsistent as the number of patients of a hospital (e.g. thousands per year) may be far lower than the number of banks’ customers (e.g. several million). However, the permanence of the activity and the range of the different data items per patient processed by a hospital may explain the analysis proposed by the authorities.
2.2. Additional Conditions: these activities must entail “regular and systematic monitoring” or the processing of “sensitive data”
If besides, the organisation’s processing operation activities also meet one of the two additional conditions, it will have to appoint a DPO.
2.2.1. The processing operations entails “regular and systematic monitoring” (Case 2)…
« Monitoring the data subjects » is all forms of tracking and profiling on the internet, including for behavioural advertising.
However, it should not be limited to the online environment as all kind of monitoring is relevant.
For the EDPB, “regular” and “systematic” should be defined as follows:
« Regular » :
– Ongoing or occurring at particular intervals for a particular period;
– Recurring or repeated at fixed times;
– Constantly or periodically taking place.
« Systematic »:
– Occurring according to a system;
– Pre-arranged, organised or methodical;
– Taking place as part of a general plan for data collection;
– Carried out as part of a strategy.
Examples of regular and systematic monitoring:
Providing telecommunication services or network, email retargeting, profiling and scoring for risk assessment purpose, location tracking; loyalty programs, behavioural advertising etc.
2.2.2. … Or entails the processing of “Special categories of personal data or data relating to criminal convictions and offences” (case 3)
The organisation must also appoint a DPO, if the processing operations carried out on a large scale, entail the processing of special categories of data as set out in article 9 GDPR (e.g. data relating to individuals’ health, sexual orientation, religion, political opinion etc.) and/or data relating to criminal convictions and offences as set out in article 10 GDPR.
It is only necessary to process one type of sensitive data to meet this criterion.
If the processing operation activities satisfy the first condition and one of the additional conditions, the organisation, acting either as a controller or a processor, must appoint a DPO.
3. What happens when only the processor’s processing operation activities meet the criteria?
In some cases, a processor may be the only one under the obligation to appoint a DPO.
For example, a family business runs a website and resorts to the services of a third party providing website analytics services and targeted advertising and marketing assistance.
The third-party provider, which regularly monitors data subjects, may act on behalf of several companies and process personal information of thousands of individuals, indeed million (i.e. on a large scale).
As a consequence, it meets all the criteria and, it should appoint a DPO whereas, the family business should not.
For more information about the DPO, you can also read our other related articles:
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.