While under the current regime, the undertakings have been given the opportunity, at their discretion, to appoint the so called „Data Protection Official”, under GDPR for first time the designation of a “person in charge” of personal data protection becomes mandatory for the organizations (personal data controllers and processors). GDPR requires the designation of DPO in three specific cases:
- where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
- where the core activities of the controller or the processor consist of:
- processing operations, which require regular and systematic monitoring of data subjects on a large scale. A “large-scale” would be considered for instance, the processing of patient data in the regular course of business by a hospital; the processing of travel data of individuals using a city’s public transport system; the processing of customer data in the regular course of business by an insurance company or a bank; processing of personal data for behavioural advertising by a search engine; processing of data (content, traffic, location) by telephone or internet service providers, etc. On the other hand, “Regular and systematic” would be monitoring which involves operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking; loyalty programs; behavioural advertising; closed circuit television, etc.¹;
- processing on a large scale of special categories of data under GDPR (e.g. personal data revealing racial or ethnic origin, data concerning health or data concerning a natural person’s sex life or sexual orientation; genetic data, biometric data such as fingerprints, facial shapes, iris, retina, etc.) or data relating to criminal convictions/ offences.
Besides in the cases listed above, Member States may set additional requirements for the designation of a DPO. According to information available on the website of the Bulgarian Commission for Personal Data Protection, DPO needs to be designated also in the cases where the organization processes personal data of more than 10 000 individuals². Even when the designation of DPO is not mandatory, GDPR allows organizations to voluntarily appoint DPO – such an appointment may be a successful marketing and reputational tool, as well as an efficient way of fulfilling some burdensome obligations. If an undertaking, even not having such an obligation, appoints DPO, it needs to comply with all the GDPR’s rules regarding this position, including ensuring independence.
DPO should possess an in-depth expertise on data protection law and practice. A single DPO is allowed to be designated by a group of undertakings (provided that the said DPO is easily accessible from each undertaking) or by a several public authorities/ bodies, taking account of their organisational structure and size. According to GDPR, DPO may be a staff member of the organisation or to be external fulfilling the tasks on the basis of a service contract. It is a matter of judgement for each organisation to decide what is the best way to designate DPO taking into account the specifics of its operation. Given that DPO is a staff member, he or she cannot combine other functions which would be in conflict with his or her duties and responsibilities as DPO. For example, senior management positions such as chief executive, head of Human Resources, chief financial or head of IT department cannot act as DPO, as they will have to control themselves. Any DPO must be “independent” – he/she shall be responsible to the highest management only and cannot be dismissed or sanctioned for reasons related to the performance of his/ her tasks (e.g. for consulting the controller to conduct impact assessment, because DPO considers a particular data processing operation to be particularly risky).
The rules and requirements regarding DPO need to be taken seriously as their infringement may result in fines up to EUR 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. If properly used, the DPO figure may turn into a powerful tool for achieving and maintaining compliance with the new rules.
¹ Refer to Guidelines on Data Protection Officers (‘DPOs’) by the Data Protection Working Party under Art. 29, available at the following Internet address: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
² Refer to See Ten practical steps to implement the General Data Protection Regulation by the CPDP available at the following Internet address: https://www.cpdp.bg/?p=element&aid=1109