The intriguing figure of the Data Protection Officer

From the DPO as an exception to the DPO as a rule. Since the publication of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, one of the most discussed topics in forums about the new regime and which causes greater curiosity has been the “data protection officer” or “DPO”.

It is true that this figure already existed in several countries, even before the GDPR, like in Germany, however only now it becomes legally obligatory, having verified the conditions of article 37/1 of the GDPR, namely:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  3.  the core activities of  the controller or  the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences.


About the definition of “grand scale”

One of the difficulties that Article 37/1 offers is the definition of “large scale”, which the Article 29 Working Party (Data Protection Working Group created by Article 29 of Directive 95/46/EC of the European Parliament and of the Council) has, however, helped to interpret (v. Guidelines on Data Protection Officers (´DPOs´), p. 9).


(…) WP 29 recommends that, in particular, the following factors be taken into account in determining whether the processing is carried out on a large scale:

  • The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity”

At the same time, recital 91 of the GDPR also provides some guidelines, adding that “large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk”. As a specific example, “personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”.


About the designation of a DPO as a good practice

Although the GDPR only requires the designation of a Data Protection Officer when the above requirements are met and is therefore optional outside of these cases, the Article 29 Working Party (see Guidelines on Data Protection Officers (´DPOs´), p. 6), recommends that, even though it is not clear that an organization is not required to designate a DPO, one should be designated. In any case, the appointment of a DPO will always be understood as a good practice in data protection.

If the controller chooses, even if he is not obliged to do so, to designate a DPO, he is obliged from then on to fulfil all the underlying obligations as if the designation was mandatory, namely to give access to existing platforms and databases to the Data Protection Officer.


About the resources that should be provided to the DPO

The GDPR does not define the resources that the controller or subcontractor must grant to the DPO. However, the Article 29 Working Party (v. Guidelines on Data Protection Officers (´DPOs´), p. 27) recommends that:

“Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • active support of the DPO’s function by senior management
  • sufficient time for DPOs to fulfil their tasks
  • adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • official communication of the designation of the DPO to all staff
  • access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • continuous training


About the tasks of a DPO– article 39/1 of the GDPR

From the moment he is designated, the DPO becomes the central figure of the organization regarding the processing of personal data, assuming the tasks of (i) to  inform and advise all parties involved of  their obligations pursuant to this Regulation (ii)  to monitor compliance with this regulation, with other Union or Member State data protection provisions and with organization’s privacy policy (iii)  to provide  advice on the subject and (iv) monitor the performance of  the  data protection impact  assessment, cooperate with the supervisory authority. It will also act  as  the  contact point, not only  for  the  supervisory  authority,  on  issues relating to  processing, but also to the data holders, in particular for the exercise of their rights, and their contacts must be made publicly available and communicated to the supervisory authority.


About the professional profile of the DPO

Another thorny issue is the DPO’s professional profile.

The GDPR in its article 37/5 states that “the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” The much-debated question remains if it should be someone more connected to law or to information technologies or someone combining the two areas of knowledge.

At first glance, it appears that the profile of the DPO should be shaped according to criteria relating to the controller, to the data subjects and the type of data being processed. That is, if it’s a large business structure, a DPO supported by a multidisciplinary team is advisable. If patient medical data is involved, someone with specific experience and/or training in the health sector should be designated. The level of skills and support will be all the greater as the complexity of the data processing activity or the share of sensitive data.

Also here the Article 29 Working Party (v. Guidelines on Data Protection Officers (´DPOs’), p. 26) gives a contribution:

“Relevant skills and expertise include: 

  • expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation


About the functional position of the DPO

The GDPR allows, in Article 37/6, that the data protection officer be a member of the staff of the entity responsible for the processing or of the subcontractor or perform his duties on the basis of a service contract, as an external DPO.

Here the concern was raised about, if an employee is chosen, how to reconcile the nature of an individual employment contract with the technical independence of the DPO and the absence of disciplinary power over the subject of the audits. That is, we will have, in these cases, an employee with double duties, worker, subordinate, subject to the directive and disciplinary power of the employer, and simultaneously, a data protection officer, who audits the performance of the organization, namely his superiors, who receives no instructions and cannot be penalized or dismissed for the performance of his duties.


About the responsibility of the DPO

Lastly, and contrary to what is the concern of future data protection officers, the DPO is not responsible for personal data breaches, being liable, in case of fines or obligations to pay damages, only the person responsible for the processing or the subcontractor.

In any case, if it is found that the violation was caused by an indifferent performance of the DPO, there may be a right of recourse of the controller or the subcontractor to the data protection officer, in general terms.


Jane Kirkby, lawyer and partner at BAS

More in Communication