GDPR rules require certain entities to appoint a Data Protection Officer. Where an organisation considers that such an obligation does not apply to it, it should properly document this.
The circumstances in which the appointment of a data protection officer for private sector entities is mandatory are governed by Article 37 General Data Protection Regulation (‘GDPR’). This obligation arises in situations where the main activities of the controller or processor consist of:
- processing operations which, by their nature, their scope or their purposes, require systematic and regular monitoring of data subjects on a large scale; or
- the processing on a large scale of special categories of personal data as referred to in Article 9(1) GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and genetic data, biometric data processed to unambiguously identify an individual as well as data concerning his health, sexuality or sexual orientation and Article 10 GDPR, i.e. data relating to criminal convictions and offences.
In other cases, the appointment of a Data Protection Officer is optional.
In practice, the greatest difficulty is caused by the imprecise concepts of ‘main activity’ and ‘large scale’.
The preamble to the GDPR indicates that ‘in the private sector, the processing of personal data is the main activity of the controller, if it is an essential and not secondary activity of the controller’. Article 29 Working Party Guidelines (now the European Data Protection Board) on Data Protection Officers (WP 243) also stress that ‘main activities’ can be understood as fundamental operations undertaken to achieve the objectives of a controller or processor.
However, the GDPR does not define the concept of ‘regular and systematic monitoring’ or ‘large-scale processing’. The use of such general formulations is appropriate in this case and aims at ensuring that the controller itself analyses the situation and assesses whether it is subject to this obligation. The guidelines provide some guidance for assessing whether it is necessary to appoint a data protection officer.
The guidelines also contain a number of examples of large-scale data processing, including the processing of patient data by hospitals, the processing of customer data by banks or insurers, the processing of data for behavioural advertising purposes by search engines, the processing of data relating to content, traffic, location by telephone or internet service providers. Although the main activity in the case of medical facilities is the provision of healthcare, this activity would not be possible without the processing of data in the form of medical records. Hospital activities are given as an example of ‘the main activity of processing sensitive personal data on a large scale’. By contrast, as an example of processing that does not fall within the definition of large scale (according to recital 91 GDPR), the processing of patients’ data by a single doctor or other health professional (nurse, midwife) is indicated.
However, the guidelines do not contain specific figures to assess at what point the processing of data takes place on a large scale. They are based on the premise that, when the rules are applied in practice, standards will develop that will allow the concept to be clarified or quantified.
If an organisation considers that it is not obliged to appoint a Data Protection Officer, it is recommended, in accordance with the Guidelines, having regard for the principle of accountability, to document the procedure that has been followed to establish the existence or otherwise of such an obligation. It is also worth remembering to update it if the organisation intends to provide new services which could change the existing conclusions in this respect.
The appointment of a data protection officer, also when optional, also requires the fulfilment of formal requirements provided for by the provisions of the Data Protection Act of 10 May 2018. The entity which has appointed the Data Protection Officer must report this to the President Data Protection Authority within 14 days, indicating, among other things, the name, surname and e-mail address or telephone number of the Officer. It should also make these data available on its website immediately after the appointment of the Data Protection Officer. If the entity does not operate a website, it should make this information available to the public at its place of business.
Katarzyna Żukowska, Karolina Romanowska