When is it compulsory to appoint a Data Protection Officer (DPO)?
Article 37.1 of the GDPR (General Data Protection Regulation) requires the appointment of a DPO in 3 situations:
- When the processing is carried out by a public authority or public body.
- Where the core activities of the controller or processor consist of processing operations which require regular and systematic large-scale monitoring of data subjects.
- Where the core activities of the controller or processor consist of the large-scale processing of special categories of data or of personal data relating to criminal convictions and offences.
The G29, succeeded by the European Data Protection Board (EDPB), provides guidance on the criteria and terminology, which will be discussed in turn:
- Public authority or public body
- Basic activity
- Large-scale
- Regular and systematic monitoring
- Special categories of data and data relating to criminal convictions and offences
Public authority or public body
Public authorities and public bodies include national, regional and local authorities, but, under the applicable national legislation, this concept also generally includes a series of other bodies governed by public law.
These concepts are therefore defined on a case-by-case basis by national law.
European law also provides guidance, in particular:
- Directive 2003/98/EC on the re-use of public sector information
- Directive 2004/18/EC on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts
Directive 2003/98/EC indicates that public sector bodies include :
the State, local and regional authorities, bodies governed by public law, and associations formed by one or more of these authorities or one or more of these bodies governed by public law.
Directive 2004/18/EC states that a body governed by public law is any body:
established for the specific purpose of satisfying needs in the general interest which are not of an industrial or commercial character; and has legal personality whose activity is :
- financed majority by the state, local authorities or other bodies governed by public law, or its management is subject to control by these bodies, or the administrative, management or supervisory body is made up of members more than half of whom are appointed by the State, local authorities or other bodies governed by public law...
Bodies governed by private law with a public service remit do not meet this criterion. Nevertheless, the appointment of a Data Protection Officer is strongly recommended for these bodies.
Basic activities
Core activities can be considered as the essential operations necessary to achieve the objectives of the controller or processor.
For example, the core activity of a hospital is to provide health care.
However, a hospital cannot provide healthcare safely and effectively without processing health data, such as patients' medical records.
Therefore, the processing of such data must be considered one of the core activities of any hospital, and hospitals must therefore appoint a DPO.
On the other hand, all organisations carry out certain activities, such as remunerating their employees or providing standard IT support.
These activities are examples of support functions necessary to the core or principal activity of the organisation.
Although these activities are necessary or essential, they are generally considered to be auxiliary functions rather than the core business.
On a large scale
The main guidance currently available comes from the Data Protection Authorities.
In the Czech Republic, the Data Protection Authority has commented on large-scale data processing in its Guide on Pre-Shipment Risk Assessments.
As is the case in a larger number of countries, the Czech Data Protection Authority has set a threshold for the number of data subjects beyond which data processing is considered to be large-scale, in this case:
10,000 data subjects.
However, data processing with :
- more than 20 processing branches, or
- or by more than 20 employees.
Also considered to be large-scale.
Finally, organisations will need to take account of the fact that data processing is carried out :
- at regional level
- or at international level, the latter being more likely to be considered as large-scale processing.
The UK Information Commissioner's Office has not quantified large-scale processing.
Instead, the ICO explains in its guidance that large scale includes:
- the duration, or permanence, of the data processing activity, the number or proportion of data subjects, the volume of data and/or the range of different data elements processed, and the geographical extent of the processing activity.
It then provides some examples, including:
the processing of data by a hospital, the tracking of people using a town's public transport system, and the processing of customer data by banks, insurance companies and telephone and Internet service providers.
In any event, the G29, now the EDPD, recommends that the following factors be taken into account to determine whether processing is carried out on a large scale:
- the number of data subjects, either in absolute terms or in relation to the population concerned;
- the volume of data and/or the spectrum of data processed;
- the duration, or permanence, of the data processing activities;
- the geographical extent of the processing activity.
Here are some examples of large-scale data processing:
the processing of patient data by a hospital in the normal course of its business;
- processing of travel data of passengers using an urban public transport system .
On the other hand, the following are not large-scale processing operations:
- the processing, by a doctor practising on an individual basis, of data relating to his patients;
- he processing, by a lawyer practising on an individual basis, of data relating to criminal convictions and offences
- the processing of criminal convictions and offences by a sole practitioner.
Regular and systematic monitoring
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR.
However, the notion of "monitoring the behaviour of data subjects" is mentioned in Recital 24 of the GDPR.
This notion clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
However, the notion of tracking is not limited to the online environment:
- online tracking should only be considered as an example of tracking the behaviour of data subjects.
The former G29, now EDPB, has clarified certain concepts, in particular "regular" and "systematic":
With regard to the term "regular" it is understood as:
- continuous** or occurring at regular intervals over a given period ;
- recurring** or repeating at fixed times ;
- occurring on a constant or periodic basis.
With respect to the term systematic", one or more of the following meanings apply:
- occurring in accordance with a system;
- pre-established**, organised or methodical;
- taking place as part of a general data collection programme;
- carried out as part of a strategy.
Here are some examples of activities constituting regular and systematic monitoring of data subjects:
- the operation of a telecommunications network;
- The provision of telecommunications services;
- retargeting by electronic mail;
- data-driven marketing activities...
Special categories of data and data relating to criminal convictions and offences
Although this provision uses the word "and", there is no reason in principle why the two criteria should be applied simultaneously. The text should therefore be read as meaning "or".
In any event, designation is mandatory as soon as the large-scale collection concerns :
- Data revealing racial or ethnic origin ;
- Data revealing political opinions ;
- Data revealing religious or philosophical beliefs;
- Data revealing trade union membership;
- Genetic data ;
- Biometric data;
- Health data;
- Data concerning sexual life or sexual orientation.
Case study
Entity | Activity | Mandatory appointment of a DPO? |
---|---|---|
Association | Association offering sporting activities in its village | No |
Private company | Company processing real-time geolocation data of customers of an international fast-food chain for statistical purposes by a subcontractor specialising in the provision of these services. | Yes, the entity processes large-scale data as part of its core business. |
Town Hall | A local authority with a population of around one hundred carries out standard data processing for a local authority. | Yes, it is a public body. |
Public limited company | Provision of telecommunications services. | Yes, the entity regularly and systematically monitors the people concerned. |