Is the controller obliged under the GDPR to set up a team for the DPO?
I am a data protection officer at a large hospital with a very complex organisational structure employing a staff of more than 2,000 employees. In my daily work in connection with the tasks of the DPO, I encounter a huge number of data protection issues requiring my analysis and providing support to the controller or its staff. It would be an important support for me to perform the tasks of the DPO if the controller set up a DPO team. Do the GDPR provisions require that the controller sets up such a team?
The GDPR imposes certain, very specific duties on the controller (to be specific – on the management of the organisation that is the controller) with respect to the DPO functioning in its organisation, and the way in which they are carried out depends on the specifics of the controller in question (including its size, structure, type of activity) and the data processing it carries out (including the nature, scope, context and purposes of the processing). Depending on these factors, the controller must provide the DPO with the proper operating conditions, and it is the controller's responsibility to ensure that the DPO performs his or her tasks effectively and correctly.
Such a specific duty imposed on the controller is to support the DPO in fulfilling his or her tasks (referred to in Article 39 of the GDPR), providing him or herwith the resources necessary to perform these tasks and access to personal data and processing operations, as well as the resources necessary to maintain his or her expertise in accordance with Article 38(2) of the GDPR.
The Article 29 Working Party’s Guidelines on Data Protection Officers ('DPOs') (wp243rev.01) advocates a broad understanding of resources, which include, among others: staff support, such as the setting up a data protection officer team. It should be added that the resources that should be provided by the controller can also be understood as:.
- active support of the DPO’s function by senior management
- sufficient time for DPOs to fulfil their tasks
- adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
- official communication of the designation of the DPO to all staff
- access to other services within the organisation so that DPOs can receive essential support, such as IT, HR or legal departments
- continuous training.
The DPO should have the opportunity to continuously update his/her knowledge of personal data protection. The goal should be to increase the DPO's knowledge and encourage him/her to participate in training courses, workshops, data protection forums, etc.
When designating a person as a DPO, the controller should jointly determine with him or her the rules for ensuring that such an officer has sufficient time to fulfill his or her tasks, help create a plan for his or her work, and, if necessary, support his or her functioning with a team of relevant specialists. In order to implement the principle of accountability expressed in Article 5(2) of the GDPR, it is necessary to carefully analyse whether the designated person will be able to properly fulfill all his or her duties to the controller. The assessment of this issue depends on a number of factors, including but not limited to: having an adequate amount of time at his or her disposal for the scope of tasks and the specifics of data processing, the need to avoid conflicts of interest, and the size and organisational structure of the organisation that is the controller. At the same time, one should be aware that many of the tasks of officers provided for in the GDPR require constant involvement and the so-called "effective availability" of the officer to people from the organisation. This is because the tasks of the DPO include, for example, ongoing monitoring of the compliance of personal data processing with the law and providing information and advice on the obligations under the law, as well as acting as contact point for data subjects and the supervisory authority.
The DPO team may include a person(s) to replace the officer in his or her absence. The possibility of designating such a person is provided for in Article 11a (1) of the Act of 10 May 2018 on the Protection of Personal Data. According to the Personal Data Protection Office, it is permissible for the controller to designate two persons to replace the DPO. One would carry out the tasks of the DPO in his or her absence, and the other would do so when both the DPO and the former, replacing him or her, are not at work (for more information in this regard, see issue 10 of the Polish DPA's newsletter for DPOs (October 2020) page 2).
It is also worth noting the view in the DPO Handbook Guidance for data protection officers in the public and quasi-public sectors on how to ensure compliance with the European Union General Data Protection Regulation, page 123, regarding the setting up of a DPO team in public entities:
„In public authorities the creation of a team would indeed be advisable. In small public bodies, this could consist simply of existing staff regularly meeting with the DPO to discuss relevant matters and prepare policy. In larger ones, some may be more formally assigned part‐time DPO supporting functions. In some, it may be necessary to appoint full‐timers to support the DPO. As all the guidance documents make clear, the decisions on these matters should be made in the light of (i) the complexity or sensitivity of personal data processing operations and (ii) the size and resources of the entity in question. But in the end, it is a legal requirement of the GDPR that the resources that are allocated to the DPO (and the team) are adequate for the tasks in hand.”
A lot of information on the controller’s duties under Articles 37 and 38 of the GDPR can be found in the DPO section on the Polish DPA’s website. Valuable guidance is also provided by the decisions of the President of the Personal Data Protection Office (e.g. ref. No. ZSOŚS.421.25.2019 https://www.uodo.gov.pl/decyzje/ZSO%C5%9AS.421.25.2019)
and other EU supervisory authorities tasked with monitoring and enforcing compliance with the aforementioned provisions (including by imposing administrative fines on controllers under Article 83(4)(a) of the GDPR).