Appointing a data protection officer is not enough. Not involving DPO into processes may lead into fine

Recently, the Luxembourg data protection authority (National Commission for Data Protection) imposed 18 000 EUR fine for the unnamed company for not involving a data protection officer (DPO) in data protection issues.

Violation of requirements of General Data Protection Regulation

The unnamed company got the fine because of a violation of Articles 38.1, 38.2, and 39.1 of the General Data Protection Regulation (GDPR). The National Commission for Data Protection conducted the investigation and revealed that:

1. the data controller had not designed the position of its internal DPO in accordance with the GDPR,

2. DPO was not involved in all issues relating to the protection of personal data,

3. DPO was not provided with sufficient resources to perform his duties,

4. the data controller could not demonstrate that the newly appointed DPO had received sufficient training in order to properly and independently advise and inform the data controller.

Functions of DPO

The message of this fine is that the role of data protection officer is increasing, and organizations shall take it to account seriously. The role of a DPO is explicitly crucial because it helps ensure an organization meets its regulatory data privacy requirements. This role can be an in-house or external employee of the company and must have specialized knowledge of law and practice in data protection, although it is not required to be certified.

The main functions of the data protection officer are the following:

1. to inform and advise the controller and the employees who deal with the processing of the obligations they perform in accordance with the GDPR and other data protection laws of the Union or the Member States,

2. to monitor the compliance with the provisions established in the GDPR, other data protection provisions of the Union or the Member States and the policies of the controller or processor in the field of personal data,

3. to offer the requested advice about the impact assessment regarding data protection and monitor its application,

4. to cooperate with the control authority,

5. to act as the contact point of the control authority for questions related to the processing.

The GDPR set forth that it is essential that the DPO participates from the earliest possible stage in all questions related to data protection. Furthermore, the DPO must have sufficient autonomy and resources to perform his or her work effectively. Therefore, the controller must provide the data protection officer with all the necessary resources to perform his or her activity efficiently.

When the appointment of DPO is mandatory?

The organizations face the question of whether they need to appoint a data protection officer. The appointment of the DPO will be mandatory when:

1. the processing is performed by a public authority or body, except the courts that act in the exercise of their judicial function,

2. the main activities of the controller or processor consist of processing operations, that due to their nature, scope, and/or purposes, require a regular and systematic observation of parties concerned on a large scale,

3. the main activities of the controller or processor consist of the large-scale processing of special categories of personal data and the data relating to criminal convictions and offenses.

Among the organizations that should appoint the DPO are the following:

  •  insurers and reinsurers,
  • organizations responsible for credit information systems,
  • financial institutions,
  • organizations that develop advertising activities that involve analysis of preferences or profiling,
  • health organizations,
  • service providers which offer the service of personal identification, etc.

The role of the data protection officer is definitely one of the main requirements of the GDPR. Therefore, it is important to ensure that the appointed DPO has the necessary resources and is involved in the process related to data processing; this position is not only a formal position.

If you have any questions or doubts about whether you need to appoint DPO, feel free to contact data protection experts of ECOVIS ProventusLaw.

Prepared by Ecovis ProventusLaw Senior Associate Milda Šlekytė

Newsletter SubscriptionGet in touch