Who can and who does not have to designate a DPO?
Art. 37 para. 1 of the General Data Protection Regulation provides for the obligation to designate a data protection officer for controllers and processors where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
Public authorities or bodies obliged to designate a DPO, referred to in Art. 37 para. 1 letter a of the GDPR, shall mean public finance sector entities (e.g. territorial self-government entities, public education institutions), research institutes and the National Bank of Poland (Narodowy Bank Polski) (Art. 9 of the Act of 10 May 2018 on Personal Data Protection).
- core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
In the interpretation of the notions used in Art. 37 para. 1 letters b and c of the GDPR („core activities”, „regular and systematic monitoring” and „on a large scale”) the recitals of the GDPR and Article 29 Working Party’s Guidelines on Data Protection Officers may be useful.
In other cases designation of a DPO is optional. However, even in the situation where the requirement to designate a DPO does not result from the provisions, the Article 29 Working Party in its Guidelines on Data Protection Officers recommends controllers and processors to document the internal procedure carried out in order to establish and consider particular conditions from Art. 37 para 1 of the GDPR of the existence or lack of this obligation.
Qualification to fulfil a DPO function
Pursuant to Art. 37 para. 5 of the GDPR the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. The level of DPO’s knowledge shall be determined in the context of particular needs of the controller and the processor (recital 97 of the GDPR). As indicated by the Art. 29 Working Party, the required level of expertise is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes. The DPO should thus be chosen carefully, with due regard to the data protection issues that arise within the organisation.
DPO shall have:
- expertise in national and European data protection laws;
- expertise in personal data protection practices;
- an in-depth understanding of the GDPR;
- knowledge of the business and sector related to the controller’s activity;
- a good understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller;
- in the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.
As regards the performance of DPO’s tasks, the Working Party indicated that the DPO’s primary concern should be enabling compliance with the GDPR. Thus the DPO should play a key role in fostering a data protection culture and help to implement essential elements of the GDPR, such as:
- the principles of data processing,
- data subjects’ rights,
- data protection by design and by default,
- records of processing activities,
- security of processing,
- notification and communication of data breaches
Personal qualities of a DPO qualifying him or her to fulfil this function should include integrity and high professional ethics.
DPO’s form of employment
Pursuant to Art. 37 para. 6 of the GDPR both the controller’s or processor’s employee and a person not being an employee of the above mentioned entities (outsourcing).