Following the entry into force of the General Data Protection Regulation (“GDPR”), the data protection officer (“DPO”) has played a key role in terms of compliance with the GDPR and the protection of personal data within organisations. In some situations, organisations are even obliged to appoint a DPO. Although the concept of the DPO is not new, and it is common practice in several EU member states to appoint DPOs, the implementation sometimes causes difficulties and ambiguities. In an attempt to resolve these difficulties and to further professionalise the profession, the Dutch Data Protection Authority (“Dutch DPA") recently published its principles for creating a strict internal supervision system.
This blog provides a summary of the DPO’s role within an organisation.
What are the roles of the data protection officer?
The data protection officer acts as an adviser, supervisor and information exchange point within the organisation.
The DPO as an adviser:
- The DPO, as part of its advisory role, informs and advises the data controller or the data processor and employees that process data on their obligations pursuant to the GDPR. The Dutch DPA has now clarified that this means that the DPO is an internal and independent privacy officer who supervises compliance with the organisation's privacy statement and advises on the attached risks.
- In specialist cases, the DPO can request legal or other advice from external parties before advising the organisation, but the DPO cannot request advice from the Dutch DPA.
- When new products or services are developed, the DPO advises on how the processing can take place lawfully, fairly and in a transparent manner. The DPO is not responsible for its advice being followed up, but does promote organisational awareness of the occurrence of privacy risks. This objective can only be accomplished if the DPO is clearly visible within the organisation and directly approachable by people within and outside the organisation.
The DPO as supervisor (in line with its role as adviser):
- The DPO supervises compliance with the provisions of the GDPR and of the data controller or data processor's policy on the protection of personal data.
- The allocation of responsibilities, awareness and training of employees involved in the data processing and the related audits also form part of this. The DPO does so by addressing the highest management level within the organisation and drawing up reports when things go wrong or if risks are identified.
- If the DPO is very concerned about deliberate non-compliance with the GDPR, the DPO must be able to report this to the Dutch DPA.
The DPO as an information exchange point:
- As the DPO has an independent position, the Dutch DPA states that it is not appropriate for the DPO
to represent the organisation in legal proceedings. However, this is not always clear to organisations or to the DPO, as is shown by the KNLTB fine where the KLNTB adopts the view that the Dutch DPA wrongly failed to involve the DPO in the investigation despite the DPO's willingness to cooperate and provide information.
- In addition, the DPO may not perform positions that involve responsibility for data processing, also in order to guarantee that the DPO is independent and to avoid conflicts of interest.
- Although the DPO may not represent the organisation, the DPO may act as a contact point for regular contact with the DPA.
The organisation's responsibilities towards the DPO
Organisations must enable DPOs to perform the roles outlined above in a satisfactory manner, and therefore have responsibilities towards them. They must ensure that the DPO can have an independent position within the organisation, has proper access to the highest management level within the organisation and has sufficient time and resources at its disposal to perform its tasks. The DPO can call the organisation to account if it fails to fulfil these responsibilities. The DPO must also be granted the opportunity to keep its expertise and skills up to date, and is expected to take the lead in this. Moreover, the organisation is responsible for properly informing the DPO about contacts between the Dutch DPA and the organisation, and must draw up rules so that this information provision to the DPO is not arbitrary.
Processes
The Dutch DPA's principles also provide clarity on the relationship between the Dutch DPA and the DPO in various processes. The DPO acts as the first point of contact for complaints about the processing of personal data from parties that are involved, such as citizens, clients or employees. The Dutch DPA checks if the DPO has dealt with the complaint and considers any input provided by the DPO. If the complaint is directed at the Dutch DPA, the DPA can request the party involved to contact the DPO instead, or to proceed with enforcement directly without prior contact with the DPO. The Dutch DPA prefers the first option.
Once the Dutch DPA decides to start a formal investigation, from that point onwards it will not discuss the content of the investigation with the DPO. The Dutch DPA may, however, request the DPO's reports and advisory opinions and use these in its assessment of data processing within the organisation. This process is linked to the DPO’s role as information exchange point and its independent position. As the DPO is not involved in the content of the formal investigation, the DPO cannot later be accused of having influenced the Dutch DPA. Contact on the investigation's progress or other matters is, however, allowed.
What if the DPO fails to properly perform its tasks?
The DPO's independent position means that the organisation cannot just dismiss or sanction the DPO during the performance of its tasks. However, there are situations where the organisation may want to part with the current DPO, for example if the DPO fails to properly perform its tasks. It is important to note that all sanctions that are purely related to the DPO properly fulfilling its obligations are prohibited, and that there is only scope for sanctions that are not related to the proper fulfilment of the DPO’s tasks. The Dutch DPA has not provided clarity on this point yet, and case law at the moment also does not offer possibilities to dismiss DPOs who fail to properly perform their tasks. Dismissal on grounds not related to the performance of the DPO's tasks is, however, possible.
Conclusion
Following the coming into effect of the GDPR, DPOs are becoming increasingly professional, but we have to keep a close eye on the DPO's position. Primarily, organisations have an obligation to embed the position of DPO within their organisation, and an additional obligation to actually appoint a DPO. In some cases, it may be sufficient for someone to complete a DPO course, but in general it is advisable to ensure that the DPO is an expert in its field. The DPO's independent position means that dismissal cannot be effected without solid grounds, even if the DPO does not have sufficient expertise. Organisations have to be aware of this.
Do you have any questions about this topic? Then feel free to contact Martin Hemmer.
Authors of this blog: Martin Hemmer and Willeke Markesteijn (student trainee).
Following the entry into force of the General Data Protection Regulation (“GDPR”), the data protection officer (“DPO”) has played a key role in terms of compliance with the GDPR and the protection of personal data within organisations. In some situations, organisations are even obliged to appoint a DPO. Although the concept of the DPO is not new, and it is common practice in several EU member states to appoint DPOs, the implementation sometimes causes difficulties and ambiguities. In an attempt to resolve these difficulties and to further professionalise the profession, the Dutch Data Protection Authority (“Dutch DPA") recently published its principles for creating a strict internal supervision system.
This blog provides a summary of the DPO’s role within an organisation.
What are the roles of the data protection officer?
The data protection officer acts as an adviser, supervisor and information exchange point within the organisation.
The DPO as an adviser:
- The DPO, as part of its advisory role, informs and advises the data controller or the data processor and employees that process data on their obligations pursuant to the GDPR. The Dutch DPA has now clarified that this means that the DPO is an internal and independent privacy officer who supervises compliance with the organisation's privacy statement and advises on the attached risks.
- In specialist cases, the DPO can request legal or other advice from external parties before advising the organisation, but the DPO cannot request advice from the Dutch DPA.
- When new products or services are developed, the DPO advises on how the processing can take place lawfully, fairly and in a transparent manner. The DPO is not responsible for its advice being followed up, but does promote organisational awareness of the occurrence of privacy risks. This objective can only be accomplished if the DPO is clearly visible within the organisation and directly approachable by people within and outside the organisation.
The DPO as supervisor (in line with its role as adviser):
- The DPO supervises compliance with the provisions of the GDPR and of the data controller or data processor's policy on the protection of personal data.
- The allocation of responsibilities, awareness and training of employees involved in the data processing and the related audits also form part of this. The DPO does so by addressing the highest management level within the organisation and drawing up reports when things go wrong or if risks are identified.
- If the DPO is very concerned about deliberate non-compliance with the GDPR, the DPO must be able to report this to the Dutch DPA.
The DPO as an information exchange point:
- As the DPO has an independent position, the Dutch DPA states that it is not appropriate for the DPO
to represent the organisation in legal proceedings. However, this is not always clear to organisations or to the DPO, as is shown by the KNLTB fine where the KLNTB adopts the view that the Dutch DPA wrongly failed to involve the DPO in the investigation despite the DPO's willingness to cooperate and provide information.
- In addition, the DPO may not perform positions that involve responsibility for data processing, also in order to guarantee that the DPO is independent and to avoid conflicts of interest.
- Although the DPO may not represent the organisation, the DPO may act as a contact point for regular contact with the DPA.
The organisation's responsibilities towards the DPO
Organisations must enable DPOs to perform the roles outlined above in a satisfactory manner, and therefore have responsibilities towards them. They must ensure that the DPO can have an independent position within the organisation, has proper access to the highest management level within the organisation and has sufficient time and resources at its disposal to perform its tasks. The DPO can call the organisation to account if it fails to fulfil these responsibilities. The DPO must also be granted the opportunity to keep its expertise and skills up to date, and is expected to take the lead in this. Moreover, the organisation is responsible for properly informing the DPO about contacts between the Dutch DPA and the organisation, and must draw up rules so that this information provision to the DPO is not arbitrary.
Processes
The Dutch DPA's principles also provide clarity on the relationship between the Dutch DPA and the DPO in various processes. The DPO acts as the first point of contact for complaints about the processing of personal data from parties that are involved, such as citizens, clients or employees. The Dutch DPA checks if the DPO has dealt with the complaint and considers any input provided by the DPO. If the complaint is directed at the Dutch DPA, the DPA can request the party involved to contact the DPO instead, or to proceed with enforcement directly without prior contact with the DPO. The Dutch DPA prefers the first option.
Once the Dutch DPA decides to start a formal investigation, from that point onwards it will not discuss the content of the investigation with the DPO. The Dutch DPA may, however, request the DPO's reports and advisory opinions and use these in its assessment of data processing within the organisation. This process is linked to the DPO’s role as information exchange point and its independent position. As the DPO is not involved in the content of the formal investigation, the DPO cannot later be accused of having influenced the Dutch DPA. Contact on the investigation's progress or other matters is, however, allowed.
What if the DPO fails to properly perform its tasks?
The DPO's independent position means that the organisation cannot just dismiss or sanction the DPO during the performance of its tasks. However, there are situations where the organisation may want to part with the current DPO, for example if the DPO fails to properly perform its tasks. It is important to note that all sanctions that are purely related to the DPO properly fulfilling its obligations are prohibited, and that there is only scope for sanctions that are not related to the proper fulfilment of the DPO’s tasks. The Dutch DPA has not provided clarity on this point yet, and case law at the moment also does not offer possibilities to dismiss DPOs who fail to properly perform their tasks. Dismissal on grounds not related to the performance of the DPO's tasks is, however, possible.
Conclusion
Following the coming into effect of the GDPR, DPOs are becoming increasingly professional, but we have to keep a close eye on the DPO's position. Primarily, organisations have an obligation to embed the position of DPO within their organisation, and an additional obligation to actually appoint a DPO. In some cases, it may be sufficient for someone to complete a DPO course, but in general it is advisable to ensure that the DPO is an expert in its field. The DPO's independent position means that dismissal cannot be effected without solid grounds, even if the DPO does not have sufficient expertise. Organisations have to be aware of this.
Do you have any questions about this topic? Then feel free to contact Martin Hemmer.
Authors of this blog: Martin Hemmer and Willeke Markesteijn (student trainee).