The EU Data Protection Regulation, which came into force last spring, has caused a flurry of activity in many companies as they prepare for the new requirements. Preparations should be completed by 25 May 2018 when the Regulation becomes applicable at the end of a two-year transition period. However, the somewhat unclear wording of the Regulation is causing interpretation problems. Companies are waiting for more detailed practical guidance regarding, for example, the appointment of Data Protection Officers.
The EU Data Protection Working Party (WP29) released three guidelines in December in response to this wait, one of which concerns Data Protection Officers. On 24 January, the Data Protection Office of the Ombudsman also published a guide on preparing for the Regulation, which is directed at controllers and was drawn up in collaboration with the Ministry of Justice. The guide briefly discusses the appointment, role and responsibilities of a Data Protection Officer. You should continue to actively follow information on this topic, as further advice and changes to national legislation will be added during the transition period. The interpretation of the Regulation will also be refined in the long term through case law.
The Data Protection Officer according to the new Regulation
Appointing a Data Protection Officer shall be mandatory for the controller and processor when:
1. a public sector operator is concerned, who is not a court
2. the organisation’s core tasks involve processing personal data, which requires regular large-scale and systematic monitoring of data subjects
3. the organisation’s core tasks consist of large-scale processing, which is focused on specific categories of personal data or data relating to criminal convictions or violations.
Point b) in particular has caused confusion in its circularity. The WP29 guidelines have clarified the interpretation of this point through examples. A company must also appoint a Data Protection Officer in the event that processing personal data is not part of its core tasks, but carrying out these tasks requires collecting personal data. An example of this could be a hospital whose core mission is to provide health care. To fulfil this mission, the hospital must collect personal data. Instead, delivering support functions such as payroll and IT support does not require the appointment of a Data Protection Officer, even though personal data is collected in connection with these functions.
The guidelines specify that large-scale processing refers to the number of data subjects rather than to the size of the organisation. Thus, even a small company is obliged to appoint a Data Protection Officer, if it deals with a large amount of personal data. Regular and systematic monitoring, in turn, refers to, for example, monitoring that occurs over the Internet such as behaviour-based advertising and location-based services. Further examples can be found in the guide.
A Volunteer Data Protection Officer?
If the company is not obliged under the Regulation to appoint a Data Protection Officer, it is still recommended that they determine who is responsible for considering data protection issues in the company's activities. This person could also act as a contact person for questions concerning the rights of data subjects and regulatory control.
I recommend that companies avoid referring to the volunteer contact person as the Data Protection Officer, so that the role is not confused with that of the compulsory Data Protection Officer, whose role and function have to follow certain requirements. At the same time, it would be good to document in writing the reasons why the company has decided that an official Data Protection Officer is not required. Regardless of whether the Data Protection Officer role is compulsory or voluntary, he or she is not personally responsible for complying with the Regulation. This responsibility is always with the controller or processor.