The Data Protection Officer (DPO) is a key figure at most companies. The officer’s main function is to guarantee compliance with the European Data Protection Regulation (GDPR) and the other applicable regulations, minimising risks and ensuring the protection of employee, customer and supplier information.
Although in many cases it is not mandatory to appoint a DPO, having one is a strategic decision that can provide reassurance and legal certainty to an organisation. This article examines the role and functions of the DPOs and the cases in which their presence is essential.
What is a Data Protection Officer?
The Data Protection Officer is the professional in charge of overseeing the correct implementation of the data protection regulations in an organisation. The DPO was established by the European Data Protection Regulation (GDPR) and the DPO appointment must be notified to the Spanish Data Protection Agency (AEPD) or the competent authority in each EU country.
When is it mandatory to have a Data Protection Officer?
Article 37 of the European Data Protection Regulation sets out the cases in which an organisation is required to appoint a Data Protection Officer. This requirement applies when one or more of the following scenarios apply:
- When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- When the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic large-scale monitoring of data subjects.
- When the core activities of the controller or processor consist of large-scale processing of special categories of personal data pursuant to article 9 of the Regulation and data relating to criminal convictions and offences referred to in article 10.
Although the aforementioned terms may be somewhat ambiguous, in practice, the Data Protection Officer is required at medium or large companies, especially those that handle large volumes of customer and employee data or databases. The DPO is also essential when the information processed by the company includes sensitive data such as health data, political beliefs, ideology, sexual orientation or biometrics (fingerprints, facial recognition, etc.).
The DPO is also mandatory in the case of an entity or company classified under article 34.1 of Spanish Constitutional Act 3/2018 of 5 December on Data Protection.
Some examples are as follows:
- Entities operating electronic communications networks and services in accordance with the provisions of their specific legislation engaged in the routine and systematic large-scale processing of personal data.
- Information society service providers engaged in large-scale profiling.
- Insurance and reinsurance entities.
- Entities which carry out advertising and commercial prospecting activities, including commercial and market research, engaged in the processing based on the preferences of the data subjects or in profiling activities.
- Health centres legally required to maintain patients’ medical records (with exceptions, depending on the scale or if carried out on an individual basis).
- Operators which carry out online or interactive gambling activities, in accordance with the gambling regulations.
- Private security companies.
- Sports federations when processing children’s data.
As stated earlier, although in some cases it is not mandatory to appoint a DPO, the company may determine whether it is appropriate to designate one.
This tends to be the case at many multinational or medium companies of a certain scale that work with a multitude of employee or customer data, those that have to sign contracts that include data protection clauses on a recurring basis, or which have a certain volume of customer services, among others.
This also occurs when the company carries out automated processing as a business strength (e.g. companies that develop and implement software or use disruptive technologies such as AI, Big Data, etc.).
What are the functions of the Data Protection Officer?
The Data Protection Officer plays a key role at the company. The DPO’s main functions are as follows:
- Ensure compliance with the GDPR, with an analysis and periodic review of the level of compliance and the measures adopted by the company in relation to the data processing carried out.
- Inform and advise the controller, the processors and the employees themselves about their obligations.
- Monitor and advise on regulatory compliance, including the assignment of responsibilities plus staff awareness and training.
- Cooperate with the supervisory authority by acting as a contact point for the supervisory authority on issues relating to the processing of personal data within the organisation.
- Recommend carrying out privacy impact assessments and impact studies before starting a project or the processing, and providing support in carrying out legitimation analyses prior to the data processing.
- Providing support in claims and exercise of rights.
From experience we can say that the Data Protection Officer becomes a cross-sectional ally that supports many of the company’s departments, advising on what good practices and measures should be implemented to ensure compliance with the regulations. Thus, for example, the DPO is a key figure for the company’s human resources, communication, administration, IT or systems departments.
Who can be a Data Protection Officer?
The European Data Protection Regulation does not establish a specific qualification for the Data Protection Officer, but it does require the DPO to have specialised knowledge of law and data protection. The DPO can be:
- A company employee.
- An external professional hired to provide the service.
In both cases, the DPO must act independently and not receive instructions regarding the functions performed.
How can we help you with data protection?
Our team of TMT & IP professionals provides you with this service in a very customised way, tailoring it to the needs of your company in detail. We provide advice to all types of companies that require this service since we have more than 17 years of experience in this field.
Sometimes, companies do not require a Data Protection Officer as such, but they do need a consultant or lawyer to accompany them in this very specific and specialised regulatory compliance.
At AGM Abogados, we believe that personal information is a key asset for companies, whether it is the data of their employees or their clients. Therefore, processing such information with respect is essential for the proper functioning of the business.
If you have any doubts about the regulations or need specialised advice, please consult AGM Abogados data protection service or contact AGM Abogados.
