Should a deputy DPO be appointed (designated) to a permanent position?
How should the word "designate" used in Article 11a of the Act on the Protection of Personal Data be understood? Under that provision, the controller who has appointed the DPO may designate a person to replace the officer during his/her absence. Therefore, in some comments to the provisions on the protection of personal data, it is indicated that the person replacing the data protection officer should not be designated permanently, but only for the duration of his/her absence. However, shouldn't the correct understanding of the provision be different? Should the position of a deputy not be established in the organisational structure? Shouldn't employment as a deputy be permanent, if only because such a person must have appropriate professional qualifications? Such an approach would also be supported by the fact that the absence of the DPO may be planned, but more often it is unplanned, and it is difficult to imagine each time notifying the President of the Personal Data Protection Office about these facts (designated, cancelled). This practice introduces a lot of confusion, undermines the importance of officers and is critically perceived by employees.
The GDPR imposes specific obligations on the controller towards the data protection officer functioning in its organisation, and the manner of their implementation depends on the specificity of the given controller (inter alia its size, structure, type of activity) and its data processing (among others the nature, scope, context and purposes of processing). Depending on these factors, the controller must provide the DPO with appropriate operating conditions that enable him or her to perform his or her tasks effectively and correctly.
Providing support to the DPO in fulfilling his/her tasks, including providing him/her with the necessary resources, is one of the obligations of the controller, expressed directly in Art. 38(2) of the GDPR. As the Article 29 Working Party explains in its Guidelines on Data Protection Officers, depending on the size and structure of the organisation, it may be useful to appoint a team of Data Protection Officers (DPOs and their staff).
The DPO team may include the person(s) replacing the officer during his/her absence. The possibility of appointing such a person is created by Article 11a(1) of the Act on the Protection of Personal Data. This provision, read literally, indicates that the controller may at any time appoint a deputy DPO who will perform this function during the absence of the DPO. It is therefore up to the controller to decide whether to designate a permanent deputy (without the need to appoint and dismiss during individual absences of the DPO) or whether to appoint a deputy on an ad hoc basis only for the time of the actual absence of the officer.
However, the following paragraphs of this Article indicate that the person replacing the officer must meet the qualification criteria resulting from Article 37(5) and (6) of the GDPR, i.e. analogous to the DPO. In connection with the performance of the duties of the officer during his/her absence, the provisions concerning the officer shall apply mutatis mutandis to the person replacing him/her (Article 11a(2)). In addition, pursuant to Article 11a(3) of the Act on the Protection of Personal Data, Articles 10 and 11 of that Act shall apply to the designation of a person to replace the officer. This means that the controller or processor who decides to designate a deputy DPO is obliged to notify the President of UODO of his/her appointment and make other notifications regarding the change of data or dismissal of the deputy, and is obliged to publish his/her name, surname and e-mail address or telephone number on its website (and if he does not run its own website, in a manner generally accessible at the place of business).
The solution consisting in designating a permanent DPO deputy not only allows to ensure the continuity of the DPO's tasks, but also - due to the fact that such a person must have appropriate substantive preparation, such as the DPO (in accordance with Article 11a paragraph 1 of the Act on the Protection of Personal Data) - may provide real and continuous support for the controller (and the DPO servicing it). In this respect, the view and argumentation presented in the cited DPO question that it is worth aiming at solutions of a permanent, long-term nature are correct. This is indicated not only by the need to adopt effective solutions in order to reliably comply with the principles of personal data protection, but also by pragmatic considerations related to the manner in which the Polish legislator has shaped the provisions concerning the person replacing the DPO, including the obligation to notify the President of the Personal Data Protection Office about the person designated to replace the DPO.
The appointment of a permanent "deputy" with appropriate knowledge and preparation would serve to ensure the continuity of the DPO during his/her sudden or planned absence (e.g. illness, leave). During the presence of the DPO, the "substitute" could, for example, cooperate with the Data Protection Officer on an ongoing basis to discuss important matters, thanks to which he/she would know the specifics of the current activities of the controller and the officer.
It is worth mentioning that in the opinion of the Personal Data Protection Office, it is permissible for the controller to designate two persons to replace the data protection officer. One would carry out the tasks of the DPO during his/her absence, and the other one in case of absence of both the DPO and the first person replacing him/her (more information in this respect can be found in issue 10 of the UODO’s newsletter for the DPOs (October 2020) page 2).