A sneak peek into the role of the DPO based on selected EU sanctions

The Data Protection Officer (hereafter the “DPO”) plays a central role in matters of personal data protection and its designation is essential to guarantee that a controller or processor respects the principle of accountability, as already pointed out in our previous article entitled “The DPO as a measure of accountability. Guidelines and safeguards in the light of the case law of European Supervisory Authorities[1].

Given the crucial nature of this role – which is new to some legal systems, such as the Italian one – the Article 29 Working Party (“WP29”), now the European Data Protection Board, has deemed it appropriate to provide guidance to Data Protection Authorities (hereafter “DPAs”) and therefore to legal professionals and organizations by means of publishing the “Guidelines on data protection officers (DPOs)[2]. At the national level, the Italian Data Protection Authority has provided further guidance through specific FAQs dedicated to both the private[3] and the public sector[4]. All these contributions, at the European and national level, were necessary to clarify the cases in which the appointment of the DPO is mandatory and the specific characteristics he or she must possess, as well as the conditions that need to be maintained to ensure the effectiveness and autonomy of their role.

 

The complexity of this figure and its tasks is confirmed by several rulings and sanctions already issued by the various European DPAs, which have further clarified how organizations can comply with Articles 37-39 of Regulation (EU) 2016/679 (hereafter the “GDPR”). Among these pronouncements, it can be recalled a recent sanction issued by the Luxembourg Data Protection Authority[5]  in which it specified, for the first time, that the qualification requirements for a DPO (under Art. 37(5) GDPR) are met if he or she has at least three years of professional experience in data protection. The Luxembourg DPA also challenged the DPO’s “passive” role in all matters relating to data protection, as the company had not formalized the DPO’s involvement in meetings and the DPO had not frequently participated in the executive committee and any other consultative body which was deemed useful in the context of data protection.

 

The Luxembourg DPA criticised the data controller to failure to assess the conflict of interest (Art. 38(6) GDPR) between the different functions carried out by the DPO. The DPA clarified that it also expects the company to have carried out an analysis of the existence of a possible conflict at the level of the DPO.

On the need to ensure the absence of a conflict of interest, there are further sanctions which clarify the indications contained in the aforementioned WP29 guidelines, whereby the designation as DPO was deemed inadequate and sanctioned. For example, the following roles may be considered to represent a conflict of interest:

          • the IT manager;
          • the head of the compliance department and the head of anti-money laundering reporting;
          • the head of the internal audit, risk, and compliance departments.

Establishing the presence of a conflict of interest or failing to analyze its absence was subject to fines of up to EUR 50,000.

More generally, what is confirmed by the decisions referred above is the assumption that conflicts of interest exist whenever the DPO finds him or herself in a position where he or she needs to take part in the decision-making procedure relating to certain processing activities. Nothing, therefore, excludes the possibility that a role (in addition to being the DPO), which is not top management and hierarchically inferior to the managerial ones, may give rise to its incompatibility (i.e., conflict of interest) if that role concretely entails the determination of the purposes and means of the processing.

 

In addition to the clarifications already offered, it should be added that, while the incorrect designation of a DPO can be costly, the very failure to appoint one can also entail serious sanctions, as confirmed by the decisions against:

          • an Italian municipality[6];
          • the Italian Ministry of Economic Development[7];
          • Glovoapp23 SL, sanctioned by the Spanish Data Protection Authority[8];
          • a (Spanish) company active in the private security sector[9];
          • a (Spanish) company active in the gambling sector[10];
          • an Austrian data controller acting in the medical sector[11];
          • a telecommunications service provider, sanctioned by the German Federal Commissioner for Data Protection and Freedom of Information[12].

 

Recommendations

From the sanctions imposed for non-compliance with the DPO requirements, one can understand the paramount importance of the DPO in an organization’s data protection framework.

In order to comply with the requirements under the GDPR and not be exposed to sanctions in respect of the DPO, it will become essential to:

          • first check whether one of the designation obligations set out in Article 37 of the GDPR applies;
          • in cases where there is no obligation to do so, assess whether it is necessary or appropriate in light of the principle of accountability;
          • where this is the case, to understand which party is able to guarantee the professionalism and experience required for the performance of the activity;
          • avoid situations that expose the DPO to conflicts of interest, and where deemed necessary, also with a view to accountability, set up plans to monitor potential conflicts of interest that may arise in the exercise of other functions, in addition to that of the DPO; it is then necessary to document the performance of this analysis;
          • communicating the DPO’s contact details to the relevant Data Protection Authority;
          • publish the DPO’s contact details, thus making him or her easily accessible to the organisation’s staff, other stakeholders, and the relevant Data Protection Authority;
          • ensuring adequate resources for the DPO, so that he/she can effectively carry out his/her duties proactively, both in terms of budget, staff and the time actually allocated to the function;
          • ensuring that the DPO can report directly to the top management without any intermediation and/or mediation that might influence his or her activities;
          • Involve the DPO in all matters concerning the protection of personal data and formalise his or her participation in them, keeping a documentary record of his or her consultation and of the reasons that may lead the organisation to deviate from his or her recommendations;
          • involving the DPO in data protection impact assessments and risk analyses;
          • not adopting decisions or measures that could penalise the DPO in the performance of his or her duties.

It is therefore clear that the role of the DPO and the related obligations entail considerable risks that require a necessary and careful data protection compliance activity.

 

 

 

 

[1] The DPO as a measure of accountability. Guidelines and safeguards in the light of the case law of European Supervisory Authorities https://www.ictlc.com/the-dpo-as-a-measure-of-accountability-guidelines-and-safeguards-in-the-light-of-the-case-law-of-european-supervisory-authorities/?lang=en.

[2] Guidelines on Data Protection Officers (‘DPOs’) of the Article 29 Working Party, published on 13 December 2016 and amended on 5 April 2017: https://ec.europa.eu/newsroom/article29/items/612048/en.

[3] The FAQ on the Data Protection Officer (DPO) in the private sector of the Italian Data Protection Authority is available at the following link: https://www.garanteprivacy.it/faq-sul-responsabile-della-protezione-dei-dati-rpd-in-ambito-privato

[4] Data Protection Officer (DPO) in the public sector: the new Faq of the Italian Data Protection Authority: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/7388193

[5] See Délibération n° 38FR/2021: https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-38FR-2021-sous-forme-anonymisee.pdf

[6] Measure of the Italian Data Protection Authority against the Municipality of Luino: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9557593 

[7] Order of injunction against Ministry of Economic Development: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9556625

[8] Measure of the Spanish Data Protection Authority against Glovoapp23 S.L.: https://www.aepd.es/es/documento/ps-00417-2019.pdf

[9] Measure of the Spanish Data Protection Authority against Conseguridad S.L.: https://www.aepd.es/es/documento/ps-00251-2020.pdf

[10] Measure of the Spanish Data Protection Authority against ACONCAGUA JUEGOS S.A.: https://www.aepd.es/es/documento/ps-00231-2021.pdf 

[11] Penalty imposed by the Austrian Data Protection Authority on a data controller acting in the medical sector: https://edpb.europa.eu/news/national-news/2019/austrian-dpa-fines-controller-medical-sector_en

[12] Measure of the Federal Commissioner for Data Protection and Freedom of Information: https://www.bfdi.bund.de/SharedDocs/Pressemitteilungen/DE/2019/30_BfDIverh%c3%a4ngtGeldbu%c3%9fe1u1.html

ICTLC Italy
italy@ictlegalconsulting.com