Appointing a Data Protection Officer (DPO)

Appointing a DPO is an obligation for some organisations. On the other hand, some wish to do so voluntarily. The questions ‘when does an organisation need to appoint a DPO’ seems to be a puzzling one. Nevertheless, appointing a DPO comes with many benefits for an organisation’s data processing activities.

Assessing whether this obligation applies is not always simple. A quick glance at the law text doesn’t give a clear-cut answer either – unless you are a public authority or a body, in which case appointing a DPO is just plain mandatory (with the exception of courts acting in their judicial capacity). For all the other organisations, the key indicator set by The GDPR is the intrusiveness of data processing. In practice, obligation to appoint a DPO concerns controllers and processors falling under these definitions:

  1. core activities require regular and systematic monitoring of data subjects on a large scale, or
  2. core activities consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offences.

Now, these conditions aren’t the most unambiguous ones, aren’t they? For example – what constitutes as ‘large-scale’? The GDPR itself leaves us with a hint of vagueness on this, as it does not give a clear definition on what large-scale processing actually means. Further directions on how to interpret these conditions can luckily be found. Article 29 Working Party has delivered their own guideline, and different European data protection Supervisory Authorities provide support as well. So, regarding whether one ought to have a DPO in operation, a few examples here may give some clarification on the issue.

Example Scenarios: When Should You Appoint a DPO?

Firstly, a DPO should be appointed in many cases where organisation’s core activities consist of large-scale processing of special categories of data. Core activities refers to activities essentially related to the business focus. Special categories of data refer to especially sensitive data. This would be any data as defined by the Article 9 of GDPR, e.g. data revealing one’s ethnic origin, political opinions or religious beliefs. Whether processing is on a large scale can be determined by e.g. the number of data subjects. Below are some examples where all these terms are realised:

  • health care related purposes, as in hospitals or health centres;
  • insurance purposes, referring to insurance companies.

Appointing a DPO comes in question also in many cases where a company’s core activities consist of intrusive monitoring or a combination of different methods of monitoring individuals – ‘systematically and regularly’. Textbook examples of such cases or businesses are not to be set in stone. Monitoring activities such as profiling individuals for credit scoring or headhunting purposes, or tracking user movement and location as a business may trigger the obligation. Here a more context specific evaluation is often needed.

However, as stated above, for some organisations this is something they wish to do on a voluntary basis. Setting the “obligatory aspect” apart, benefits of having a DPO are quite recognisable. Not only do DPOs monitor and ensure that organisation complies with the legislation, they can also act as a contact point between relevant stakeholders. Appointing a DPO helps to bring ownership and structure to privacy and data protection activities. You can read more about DPO’s role and available options of organising a DPO from our whitepaper. GDPR also allows for outsourcing of a DPO. To learn more about Privaon’s DPO-services, visit DPO as a Service page.

Writer

Toni Leppänen, Privacy Specialist
toni.leppanen@privaon.com
www.privaon.com