Henrique Fabretti Moraes
Tiago Neves Furtado
Originally published in the IAPP website
The attention on the data protection officer function has been substantially increased after the EU General Data Protection Regulation entered into force, and that has brought a lot of discussions and doubts regarding how to implement its role in an effective manner without excessive burden to the organizations and, of course, in a way to fully comply with the regulation.
The following is a consolidation of some of the most enlightening decisions outlined by European data protection authorities to help you understand how to address practical problems that companies and privacy professionals usually face.
Appointing a DPO located in another country
Issue date: December 2019
The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of 51,000 euros on the German branch of Facebook because it had failed to appoint a DPO. As its defense, Facebook has argued that its DPO was appointed in Ireland, and it would act as DPO for all European Facebook branches. On the other hand, the German DPA argued that Facebook did not notify about the referred nomination.
Therefore, if one organization has managed to appoint its DPO to one supervisory authority, despite the consistency mechanism, it is highly recommended to notify other supervisory authorities wherever there are other branches of the organization.
Can a DPO represent its controller or processer before the DPAs?
Issue date: Jan. 23, 2020
The Hellenic Data Protection Authority, after receiving several requests from controllers to be represented by their DPOs, released a statement that DPOs are not allowed to engage in a role as the controller’s representative before the authority, considering that this could jeopardize the autonomy or independence of the DPO.
This decision is perfectly aligned with the EDPB guidelines on Data Protection Officers and Article 38(6) of the GDPR, since that representing the controller before the DPA means defending and protecting the organization’s interests, losing the necessary impartiality to the DPO exercise its second line of defense role.
Limits to act as an outsourced DPO
Issue date: Sept. 13, 2019
The EDPB guidelines on DPOs allow controllers and processors to designate an external DPO based on a service contract but recommends that the third party designates a lead individual to be the person in charge and lead contact.
Considering this, the Administrative Court of Puglia issued a decision bringing an interesting point regarding the hiring of an outsourced DPO, stating that the individual pointed as the DPO should belong to the hired company. In other words, it is not possible to hire a company as an outsourced DPO and have this company also hiring an external individual to fulfill this role.
Having a data protection committee does not replace the obligation of appointing one DPO
Issue date: June 2020
The Spanish DPA, Agencia Española de Protección de Datos, has imposed a fine of 25,000 euros to the IMPOSTAR GLOVOAPP23 for not formally appointing its DPO. The company alleged that it has constituted a data protection committee to cover the company’s technical areas, as well as the data protection subcommittee, which should also perfume the tasks of the DPO.
However, the AEPD understood that having this committee is not enough to fulfill with the obligation of Article 37 of the GDPR. This decision is relevant, especially because it brings the understanding that, despite the structure and roles set out for privacy and data protection within one organization, it should not be exempted to appoint the DPO when it is required by the regulation.
Can a DPO also do compliance, internal audit and risk roles?
Issue date: April 28, 2020
The Belgian Data Protection Authority issued a very polemic decision when analyzing the position of the DPO in a telecom company that designated as the DPO an individual who also served as the head of compliance, internal audit and risk management.
Making a long story short, the company was fined 50,000 euros for infringement of Article 38(6) of GDPR. But before panicking, it is necessary to understand this decision in its details.
First of all, the Belgium DPA made clear that conflict of interest should be analyzed case by case, and this decision does not necessarily mean that all compliance officers cannot be designated as the DPO.
The authority brought four key questions on which to base its decision:
- What is the impact of the DPO position in the decision making of its other functions?
- The role of the DPO is compatible with the function of internal audit, considering that a report issued by this department could lead to the dismissal of a particular employee. Regardless, what is the decision authority of the DPO as the head of internal audit?
- How can the DPO supervise the data protection practices of these departments (compliance, risk and internal audit) in an independent manner?
- Taken into consideration all the roles filled by this individual, can the expected confidentiality of the DPO in relation to the other employees be guaranteed at a satisfactory level?
In this particular case, the DPA considered that those questions were not sufficiently addressed, resulting in the aforementioned sanction.
But, reading between the lines of this decision, two points are worth discussing further. First, in some moment at the beginning of the administrative procedure, the company stated that the DPO was the data controller in the compliance, internal audit and risk management departments, being in a position to define the purpose and the means of processing personal data.
Second, the authority expected that, considering the size of the company and how relevant the processing of personal data is for its business, it had a higher level of diligence and maturity in complying with the GDPR.
It is important to recognize that there are numerous additional issues and queries not addressed or either answered by these decisions. However, they bring some relevant outlines that should guide your organization, together with the guidelines and opinions, to compliance with the GDPR when related to appointing a DPO or regarding its functions.