News
How to choose a DPO? Practical insights
The data protection officer (DPO) is a key function/office/position under the GDPR responsible for compliance with data protection rules, mandatory for some entities, voluntary for the rest, having attached a strict set of rights, duties and liability prescribed by the GDPR. The DPO must be independent, reporting directly to the highest management level and must be delineated from any conflict of interests. The position of the DPO is an advisory one, the DPO being equally a facilitator and a contact person for all stakeholders.
Under the GDPR framework, data controllers and data processors equally have the obligation to appoint a DPO if certain conditions are met. In the event they voluntarily opt to appoint a DPO, the complete set of rights and obligations surrounding the DPO position becomes applicable as such.
Under the GDPR, the duties of the DPO may be met internally or outsourced to a specialized and/or authorized third party DPO company.
Who needs to appoint it?
This article will not focus on the cases when the appointment of the DPO is a must. Article 29 Working Party (Art. 29 WP) has issued pages of guidelines to this end. Considering the relevant criteria of the GDPR and Art. 29 WP guidance, for many companies it will actually be hard to document that they are exempt. In any event, if a company truly believes it does not need to appoint a DPO, it should very clearly and professionally explain and document in writing such conclusion. To this end, all internal analysis, cognitive process, separate opinion, internal meetings, external advice related documents should be archived with a view to document the best efforts for GDPR compliance.
In any event, as noted, both data controllers and data processors meeting the criteria must appoint a DPO. Cloud providers, as one of the most obvious categories of data processors, should equally appoint a DPO is they meet the legal criteria for having this obligation. We note that, in Romania, the supervisory authority recommended to the data controllers and data processors who do not fulfill the criteria listed by GDPR in art. 37 to appoint a DPO on voluntary basis.
What does it look like?
The DPO should have proficient knowledge of data protection law and practices and the ability to fulfill a series of tasks expressly prescribed by the GDPR, as well as any related operations necessary for fulfilling such tasks.
Art. 29 WP again provides guidance on these requirements:
- knowledge of data protection law refers to expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR;
- the level of expertise must be proportional with the sensitivity, complexity and amount of data processed by an organization, while
- the ability to fulfill tasks refers both to the knowledge of the DPO and also to its position within the organization.
Within the organization, the DPO would normally be the individual with the best expertise in data protection matters, but also senior enough in order to be able to play the role, manage all stakeholders, have sufficient top management credibility and support. The DPO must be a facilitator and be able to resist to all surrounding pressure.
The right balance of these two areas (data protection knowledge and seniority) may sometime be difficult to achieve, with seniority being though decisive in our view. Nonetheless, the required level of expertise and knowledge can also be supplemented with the support of an internal team or external support (external DPO or external consultancy support).
In the case of an internal DPO, the data controllers and data processors should be aware of the conflict of interests and independence criteria. The DPO cannot actually take any business decisions within the organization (e.g. type of personal data to be processed, the means of processing data) and cannot be in a position to validate or invalidate his/her own previous business decisions, while having another job in the same organization. Attention should be paid to personal relations and previous affiliations in order to assess the independence criteria. This brings additional limitations to the DPO selection process. Any breach of the conflict of interests restrictions is expressly sanctioned under the GDPR. Independence and delineation from conflict of interests must also be ensured in the position documentation (contract, job description, organizational chart, organization and functioning regulation, etc.).
Where can I find it?
Within the organization or outside the organization.
Inside the organization, a company will face the challenge of eliminating conflict of interests and ensuring independence.
Outside of the organization, as a new recruit-employee or freelancer, on one hand, or a separate legal entity (external DPO), on the other hand.
In a recruitment process, a company will face the recruiting burden, considering that data protection specialists are rather scarce on the market. In case this individual is licensed as a freelancer, depending on the structure of the relation, a company should pay attention to the risks of fiscal requalification as dependent position.
For many companies, an external DPO may be the most appropriate option. No doubt that a DPO is not in essence a function reserved to individuals and a company may be an external DPO. An external DPO may have additional resources, professional liability insurance, better exposure to similar projects and therefore higher expertise. However, the external DPO firm should appoint a main contact person for a certain client. This is similar, for instance, to an audit company, which must appoint a specific individual as the key responsible for a particular client account relationship (including for the purposes of the auditor registration with the trade registry).
A combination of internal and external resources may actually be the best approach in many instances. An internal DPO would ensure for instance a close management of the related data protection projects (and an appropriate and sufficient flow of information towards the external advisors), corroborated with the use of external resources (lawyers, privacy specialized companies), based on the organization business needs.
Below we have created a very brief comparison of pros and cons for the various options:
| Pros | Cons | |
| Internal DPO |
|
|
| External DPO |
|
|
| Privacy consultants (to be used when a DPO is not required and the company did not opt-in for a DPO on voluntary basis) |
|
|
How can I retain it?
Assuming that all prerequisites are cleared (e.g. conflict of interests), convincing an individual to take-over the internal DPO position can be difficult. A DPO may request, for instance, contractual liability limitations, professional liability insurance paid by the company, a certain team and budget. Evaluate such options and be prepared to confirm whether such requests can be accepted.
Offer comfort to the DPO that he/she will have all needed logistics, but most importantly, support and commitment from highest management level. No compliance program can be successful if top management commitment is missing.
Think about a remuneration system that secures the independence and the long-term dedication of the DPO, such as deferred bonus system, long term incentive plan, etc. Think about benefits, evaluation criteria and KPIs.
Evaluate the type of contract that can legally be used for retaining an internal DPO: employment contract or management/civil contract? There are opinions that a management/civil contract, while legally possible, is not in fact observing the spirit of GDPR and does not ensure the independence criteria. Assuming an assessment that would validate a management contract for this purpose, such civil contract would certainly allow better flexibility in terms of liability and termination. Moreover, by also assuming a reporting of the DPO to the top management level, a civil contract may be more suitable for this top level position with advisory and supervision role.
In any event, when a DPO would be retained under an employment contract, the following would apply under Romanian law: (i) the termination of an employee is rather strict and formal, (ii) employees can obtain in court reinstatement on the previous position, (iii) the burden of the proof lies with the employer, (iv) the employee can admit its civil liability towards the employer up to a certain limit, a court decision being necessary for the excess, (v) salary withholdings are also limited, (vi) there are opinions that liquidated damages clauses are not allowed in employment relations, (vii) employees cannot waive their legal rights, etc. Considering the express restriction under the GDPR to dismiss a DPO for performing his/her tasks, a dismissal for professional unfitness would be extremely difficult; therefore, opting for alternatives (i.e. management contract assuming clearance to use this type of contract or, ideally, external DPO) seems extremely advisable.
Moreover, irrespective of the contractual ground, an individual (internal DPO) should be far less solvable than an external DPO in case of a liability claim.
Can I share it?
Art. 29 WP makes it clear in their guidance that a DPO can be shared, for instance by a group of companies. In this case, the DPO should have local teams to support him/her in each relevant country, including, among others, with specific knowledge of the local market, supervisory authority approach and local language skills (to be able to act as contact person for the authorities and local data subjects). Irrespective of this common view and approach of Art. 29 WP, it seems that some supervisory authorities might recommend to have a DPO at the level of each group entity with legal personality (e.g. for easier access to the DPO, better communication or better monitoring of the personal data processing).
***
This article was intended as a practical guide to assist market actors, controllers and also processors, in making their assessment and validating the best option for their company. It is not indeed to be exhaustive or 100% correct, as it expresses opinions only.
Article provided by: Adelina-Iftime Blagean (Wolf Theiss Rechtsanwälte)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010