Javascript is required
logo-dastralogo-dastra

How to appoint a data protection officer

The DPO... let's talk about it!

How to appoint a data protection officer
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
27 December 2023·11 minutes read time

The General Data Protection Regulation (GDPR) has established the role of Data Protection Officer (DPO).

Made compulsory by the GDPR in certain cases, the appointment of a DPO has a double advantage:

  • facilitating compliance with the rules and,
  • becoming a competitive advantage for companies.

This function existed prior to the GDPR for the European institutions and in France through the correspondents informatique et libertés, who had similar functions.

The data protection officer can be defined as the person responsible within an organisation for ensuring compliance with data protection regulations.

When should they be appointed? Why appoint one? Is it mandatory? Who should be appointed?

These are just some of the questions that prompted us to draw up a guide on the subject.

Here we look at the stages involved in appointing the DPO.

The steps involved in appointing a DPO.

We offer you a guide to the stages of appointing a DPO.

  1. Step 1: Document your approach
  2. Step 2: Determine whether the appointment of a DPO is mandatory or optional
    • Public authority or public body
    • Core activity
    • Large-scale
    • Regular and systematic monitoring
    • Special categories of data and data relating to criminal convictions and offences
  3. Step 3: Check the DPO's prerequisites
    • Skills
    • Resources
    • Independence
  4. Step 4: Complete the formalities associated with the appointment
    • Online declaration
    • Publicising the appointment of the DPO

Step 1: Document your approach

Whether or not you are obliged to appoint a DPO, you must document your choice.

The European Data Protection Board (EDPB), which brings together the European data protection authorities, published guidelines on 13 December 2016.

It recommends that an internal analysis be systematically carried out in order to demonstrate that all the relevant factors were taken into account when determining whether or not the appointment of a DPO is an obligation for the entity concerned.

In practice, this involves creating documentation in the form of a Word or Excel file indicating that the entity concerned has checked all the assumptions for the mandatory appointment of the DPO and will detail how this criterion has or has not been met.

This documentation must be made available to a data protection supervisory authority.

Discover how Dastra helps you document the need for a DPO.

Step 2: Mandatory or optional appointment of the DPO?

Article 37.1 of the GDPR provides for three cases of mandatory appointment of a DPO:

  1. When the processing is carried out by a public authority or public body.
  2. Where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring** of data subjects on a large scale.
  3. Where the core activities of the controller or processor consist of the large-scale processing of special categories of data or of personal data relating to criminal convictions and offences.

If you find yourself in one of these situations, you are obliged to appoint a Data Protection Officer.

Note: EU or Member State law may require the appointment of a DPO for associations representing groups of data controllers (in accordance with Article 37(4)).

The Italian supervisory authority has imposed a fine of €75,000 on the Italian Ministry for Economic Development for failing to appoint a DPO and for publishing the personal data of more than 5,000 people** on the internet. (See the order of 11 February 2021)

This decision demonstrates :

the importance of taking into account the role of the DPO the need to verify the mandatory cases for appointing a DPO that public entities, in the same way as private entities, are subject to the provisions of the GDPR.

Step 3: DPO requirements

Before appointing a DPO, it is necessary to check that three conditions have been met:

The DPO has the required skills

The regulations do not specify the professional qualities to be taken into consideration when appointing the DPO.

However, it is necessary for the DPO to have expertise in the field of national and European data protection legislation and practices as well as in-depth knowledge of the GDPR.

Similarly, the level of expertise required is not strictly defined but must be proportionate to the complexity and volume of data processed by an organisation.

Note: the person who is to be appointed DPO may undergo training to acquire the required skills. Similarly, mechanisms for certifying DPO skills have been established by some data protection authorities, providing a reference framework for certifying DPOs.

Lastly, the DPO's primary concern must be compliance with the GDPR. The DPO therefore plays a key role in promoting a data protection culture within the organisation and must therefore demonstrate integrity and ethics.

The DPO may perform other tasks but must not be subject to any conflicts of interest in his or her duties. In practice, he must not take part in decisions on the purposes and means of processing.

The importance of checking the prerequisites for the future DPO:

The Belgian data protection authority pronounced on 28 April 2020 an administrative fine of €50,000 against Proximus SA, a Belgian telecommunications company, the leading telecommunications company in Belgium, for having insufficiently verified that its data protection officer was not in a conflict of interest.

In addition to the fact that this is the highest amount since sanctions began in Belgium, the authority has above all emphasised the importance of checking the prerequisites before appointing a DPO:

The DPO is supposed to act as a guide in this process. You cannot therefore be the advisor and the one who takes the decision, as was the case at Proximus".

The DPO has sufficient resources

The organisation must provide the resources necessary to carry out the duties of the DPO (Article 38.2 of the GDPR).

In short, this translates into :

  • Active support for the DPO's function from senior management
  • Sufficient time for DPOs to carry out their duties
  • Adequate support in terms of financial resources, infrastructure and staff, e.g. investment in a tool
  • Official communication of the appointment of the DPO to all staff to ensure that the existence and function of the DPO are known within the organisation
  • Ongoing training: to enable DPOs to keep their knowledge up to date and even to constantly increase their level of expertise

...

The Luxembourg CNIL, the CNPD, has already admitted that the size of the company and the time devoted by the DPO to his or her duties are not negligible factors in compliance with the GDPR.

Thus, in Deliberation No. 30FR/2021 of 4 August 2021, the Commission's select committee notes that the investigation file shows that, in practice, the DPO devotes around 70% of his working time to his DPO duties.

Even taking into account the fact that the DPO devotes more time to his duties as DPO than the 50% initially envisaged, as well as the support provided by the temporary intervention, until March 2019, of an external consultant, the select committee considers that the DPO did not have sufficient time to perform his duties, particularly in view of the sensitivity, complexity and volume of the data processed by the audited entity.

The public institution was penalised financially and an injunction to comply within four months was issued as corrective measures.

The DPO has the ability to act independently

DPOs must be able to perform their duties with a sufficient degree of autonomy (Article 38.3 of the GDPR).

For example, under Article 39 of the GDPR, DPOs must not receive instructions on how to handle a case such as how to investigate a complaint or whether to consult the supervisory authority.

Similarly, Recital 97 of the GDPR states that DPOs "whether or not they are employees of the controller, should be able to exercise their functions and duties with complete independence".

Caution: the autonomy and independence of DPOs does not mean that they have decision-making powers that go beyond their duties under Article 39 of the RGPD.

In practice, this translates into three conditions:

  • must not receive instructions in the performance of their duties
  • must not be the subject of a sanction (dismissal, curtailment of career advancement, etc.) as a result of the performance of their duties
  • report directly to the highest level of the organisation's management.

Step 4: Complete the formalities involved in appointing the DPO

Online declaration

It is necessary to declare your DPO to your competent supervisory authority.

In the case of the UK, the ICO has created an online declaration form.

In the case of Ireland, the DPC has created an online declaration form too.

In principle, it is the person legally responsible, usually the company director, who must complete the form. In practice, it is usually the future DPO who does this.

If the DPO is shared, the form must be completed for each entity concerned.

Dastra helps you bring your organisation into compliance. Discover our solution.

The form consists of 3 parts:

  • The first part of the form identifies the structure;
  • The second part identifies the DPO;
  • The third part concerns the DPO's public contact details.

The DPO's contact details are made public by law so that data subjects can contact them if necessary.

Publicising the appointment of the DPO

There is an obligation on the data controller to publish "the data protection officer's contact details and communicate them to the supervisory authority" (Article 37.7 GDPR).

These requirements are intended to ensure that data subjects and supervisory authorities can easily and directly contact the DPO without having to contact another department of the organisation.

  • On the communication of the DPO's contact details.

The DPO's contact details must contain information enabling data subjects and supervisory authorities to contact the DPO easily (a postal address, a specific telephone number and/or a specific e-mail address).

If necessary, for the purposes of communication with the public, other means of communication could also be provided, for example, specific telephone assistance, or a specific contact form addressed to the DPO on the organisation's website.

Note that Luxembourg's CNPD has already demonstrated in its deliberation of 4 August 2021 that this is an obligation to be taken seriously, for example:

Public institution A should have communicated the details of its DPO to the CNPD by 25 May 2018.

The DPO's contact details were not communicated until 27 September 2018.

The CNPD concludes that Article 37.7 of the RGPD has not been complied with by public body A. Corrective measures and a fine will follow.

  • On the communication of the name of the Data Protection Officer (DPO)

There is no requirement to publish the name of the DPO to the general public.

However, communication of the DPO's name to the supervisory authority is essential so that the DPO can act as the point of contact between the organisation and the supervisory authority.

Contact us for more information

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.