In March 2017, the LDI NRW published FAQs that are intended to provide an overview of the new requirements on Data Protection Officers (DPO) under the GDPR (2016/679/EU) and the JI (Joint Implementation) Directive (2016/680/EU). These application tips are the first statements by a German supervisory authority on the subject. We have summarized the most important points.
I. The appointment of the DPO
Art. 37 Subsection 1 lit. b, c GDPR stipulate when companies are required to appoint a Data Protection Officer. Accordingly, the obligation applies if a company "regularly and systematically" monitors data subjects (lit. b) or processes sensitive data as defined in Art. 9 and 10 GDPR (lit. c), if this is "extensive" (lit. b, c) and constitutes the "core activity" (lit. b, c).
In the LDI’s opinion, monitoring is given, for example, if the data subject’s internet activities can be traced; this is by all means the case when creating profiles that serve as the basis for personalized decisions or analyses and predictions. The basis for this is Recital 24 GDPR. Possible examples of this are personalization functions on websites.
The LDI draws several criteria from Recital 91 GDPR for the assessment of the extensive processing of sensitive data or of monitoring: the volume of personal data, the processing at regional, national or supranational level, the number of data subjects and the duration of the processing.
The LDI recommends making the appointment in writing, although this is not a legal requirement. This appointment could also document the duties of the DPO. The LDI also recommends re-appointing an existing DPO with effect from application of the GDPR, i.e. as from May 25, 2018, to address uncertainties resulting from the change of law.
II. Requirements on suitability for the position of DPO
The LDI requires that the DPO should have reliable specialist knowledge. This should comprise not only the internal processes and processing steps, but also the IT systems and security measures. The specific requirements depend on the complexity of the data processing and the effects on the data subjects.
To avoid a conflict of interests, the DPO must not have any other duties and obligations that are closely related to the processing of personal data. In the LDI’s opinion, members of the company management or senior persons in the IT or HR departments can certainly not be considered for the position of DPO. Even employment in these departments can trigger a conflict of interests, if this makes it possible to influence the processing steps.
III. Duties of the DPO
The core duty of the DPO is to support the management of the company or processor. The LDI summarizes this as the gathering of information in order to enable the identification of processing activities, the analysis of the processing and checking for legal conformity, and informing and advising the company or the processor. In this respect, the DPO should focus on processing that constitutes a high risk for the data subjects.
When carrying out the data protection impact assessment (Art. 35 GDPR), the DPO can only be involved in a monitoring and advisory capacity (Subsection 1, 2). Responsibility for actual implementation lies with the company management. If it does not follow advice of the DPO, the reasons for this should be documented in writing. The same shall apply as regards the records of processing activities (Art. 30 GDPR). The LDI also recommends enclosing reference documents, such as the result of a data protection impact assessment.
Externally, the DPO acts as contact person for both the supervisory authority (Art. 39 Subsection 1 lit. d, e GDPR) as well as for the data subjects (Art. 38 Subsection 4 GDPR).
As this is only a supporting position, the DPO is not personally responsible for compliance with the data protection laws. Responsibility remains with the responsible body, represented by the company management.
IV. Support for the DPO
In the LDI’s opinion, the DPO must be involved at an early stage and correctly in all matters concerning the protection of personal data. He/she must be supported in his/her work through resources, access to data and processing steps as well as through specialist literature and further training. He/she must also remain free from instructions and independent.
V. Prerequisite for a joint DPO as per Art. 37 (2) GDPR
Under Art. 37 Subsection 2 GDPR, a group of companies can appoint a joint Data Protection Officer if he/she is "easily accessible" from every group company. In the opinion of the LDI, this is the case if the DPO is personally and linguistically available, seen from the perspective of the data subjects, supervisory authorities and the company employees.
The DPO is considered personally available, for example, if a hotline has been set up, contact forms are incorporated into the homepage, a consultation time is scheduled for employees, or his/her contact data can be found in both the Intranet as well as on the homepage.
Linguistic availability should be given if communication is possible in the language spoken by supervisory authorities and data subjects.
The FAQs repeat and systematize the standards and recitals of relevance for the DPO. They in part also include the LDI’s own legal interpretations. The examples set out by the LDI enable practical orientation. The LDI’s recommendations thus provide initial official orientation on important matters. Companies can factor this in when shaping their data protection organization.