What you need to know.

The appointment of a Data Protection Officer (“DPO”) is mandatory for all organisations that, as their core activity (1), process on a large scale (2) either sensitive information and/or information relating to criminal convictions and offences, or carry out regular and systematic monitoring of data subjects (for example, online via cookies) (3). This obligation thus applies in the first instance to larger organisations, such as hospitals, banks, insurance and telecommunication companies. Public authorities or bodies are also subject to this obligation, regardless of the size and nature of their processing activities.

The DPO has advisory and informative tasks and acts as the company’s internal and external contact person with regard to its privacy policy. He is the central figure for the implementation of the GDPR within the company and contributes to the accountability vis-à-vis, and communication with, the supervisory authority. Even for entities that do not fall under the obligation, for example because they do not process data on a large scale (such as an individual lawyer) or do not store sensitive data, it can be useful to appoint a DPO on a voluntary basis.

What you need to do by 25 May 2018.

As a processor or controller you need to check, on the basis of the 3 criteria listed above, whether a DPO has to be appointed within your company. From an evidence point of view, we recommend that you document this analysis, especially if you should conclude that this obligation does not apply to you.

Next, when selecting a DPO, you are required to take several things into account. The DPO can be an internal employee or an external advisor, so long as he can demonstrate that he possesses the necessary knowledge of the law and practice in this area. In both cases, the DPO must be provided with sufficient resources and must be able to conduct his tasks in complete independence. This presupposes that no conflicts of interest may arise on the part of the DPO: for example, the position of an IT director, who decides on the (purpose of and funding for the) purchase of IT infrastructure, would be hard to reconcile with the tasks of a DPO. Furthermore, for the performance of his tasks the DPO is protected against any punishment or dismissal (by analogy with a trade union representative). 

If you voluntarily appoint a DPO within your company, but at the same time want to avoid the matters mentioned above, you could consider giving him a different title, such as “Chief Privacy Officer” or “Head of Data Protection”. This alternative designation must be clear from your policy and (internal and external) communication.

Attention: the (mandatory or voluntary) appointment of a DPO does not in any way exempt you as a company from your obligations under the GDPR. As a company, you remain responsible for compliance with the GDPR.