In this article, we discuss topics related to Data Protection Officers (DPOs), covering the cases in which it is mandatory for the data controller to appoint a Data Protection Officer, as well as examining the duties and legal status of such officers.

Mandatory cases of appointing a Data Protection Officer

The data controller must appoint a Data Protection Officer if his main activity involves the processing of a large number of special data or requires a large-scale, regular and systematic monitoring of data subjects. In this regard, monitoring the behavior of the data subject includes all kinds of online tracking and profiling, including behavioral advertising.

A good example of the large-scale handling of special data is the case of hospitals where they handle a great amount of personal healthcare data. Regarding monitoring, we can have a Security Service provider company as an example if the company is responsible for the surveillance of shopping malls and public areas, while in connection with profiling; even small personnel consultant companies that create profiles of people are affected by the provision.

Different loyalty programs can also be considered as a regular and systematic monitoring since these shops use algorithms to give regular customers an automatic discount based on the observations made on their purchased amount or other characteristics.

Irrespectively of the mandatory cases discussed above, the enrollment of a DPO can be beneficial for all businesses as compliance with GDPR is mandatory for every data controller, in which the Data Protection Officer can provide essential assistance. The Data Protection Officer can be a member of the existing staff of the organization or an external contractor. The Data Protection Officer can also be a person or an organization.

Who is this so-called Data Protection Officer? What are his duties?

The Data Protection Officer is a person who is familiar with the rules and practices relating to data protection and the operation of the data controller, therefore is able to assist the data controller in matters relating to the protection of personal data.

Within the scope of his duties, the Data Protection Officer shall provide professional advice and information to the data controller and its employees in connection with their obligations under GDPR. The DPO also monitors compliance with both the GDPR and the data protection rules of the data controller, which includes the assignment of responsibilities, raising awareness and training of staff involved in data processing activities, and related audits.

In addition to the above, the Data Protection Officer shall cooperate with the supervisory authorities and act as their point of contact in matters related to data processing activities and consult with them on any other upcoming matters.

Legal status of the Data Protection Officer

The data controller shall enable the Data Protection Officer to carry out his duties by ensuring that the Data Protection Officer is involved in all matters relating to the protection of personal data in an appropriate and timely manner. In the light of the above, the DPO shall be invited to middle and senior management meetings, especially if data protection decisions are being made. In order for the DPO to give appropriate advice, all relevant information shall be provided to him in a timely manner. The opinion of the Data Protection Officer shall always be given a due weight. In case of a disagreement between the Data Protection Officer and the data controller, it is advisable to record the circumstances in writing. This may turn out to be significant later on, especially in case of liability issues.

The data controller shall support the Data Protection Officer in the performance of his duties by providing him all necessary resources, access to personal data and data processing activities, and by ensuring the maintenance of his professional expertise. This means giving the DPO sufficient time to carry out his duties, supporting him with financial resources, infrastructure, necessary premises, equipment, facilities, access to staff, legal and IT services and supporting his trainings financially.

In order for the DPO to function independently and without influence, the data controller must ensure that the DPO does not accept instructions or orders from anyone during the performance of his duties. In the course of his daily work, it is therefore not possible to instruct the DPO on how to investigate (or not to investigate) a subject or how to answer a question. The data controller shall not dismiss or sanction the Data Protection Officer for performing his duties.

We also need to emphasize that the Data Protection Officer is bound by the duty of confidentiality and the confidentiality of data during the performance of his tasks, and he directly reports to the senior management of the data controller.

As a summary, we would like to note that the data controller should consider the Data Protection Officer a partner rather than a burden. It is a common mistake that the data controller considers the job done by appointing a Data Protection Officer, but does not provide him with the real support detailed above. In the absence of cooperation, the Data Protection Officer is unable to perform his duties properly or at all.

It should therefore be emphasized that giving the proper support to the Data Protection Officer is in the interest of both parties, as by having the appropriate background, the DPO can provide indispensable assistance to the data controller in all data protection aspects of his business.