DPO

Question 1

When is it mandatory to designate a DPO?

Answer 1

Article 37 (a)-(c)

(a) Processing is carried out by a public authority or body (courts exempt)
(b) Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
(c) Core activities consist of processing on a large scale of special categories of personal data (article 9 and 10)

Question 2

What defines “a public authority or body”?

Answer 2

National, regional or local authorities

WP29 recommends that also private organisations carrying out public tasks or exercising public authority (public transport services, water and energy supply, service broadcasting, etc.) designate a DPO

Question 3

What defines “core activities”?

Answer 3

Primary activities of a controller/processor.
Key operations that are necessary to achieve the controller’s or processor’s goals.

I.e. hospitals - primary activity is to provide health care, but this cannot be done without processing personal health data. Thus processing is a core activity and a DPO must be designated.

I.e. private security company - surveillance is core activity which is linked to processing of personal data. DPO required.

Question 4

Is processing of personal data in relation to paying employees seen as a “core activity” of an employer?

Answer 4

No, it is necessary support functions for the organisation’s core activity. Considered ancillary.

Question 5

What defines “large scale”?

Answer 5

Individual assessment.

Criteria:

• Number of data subjects concerned
• Volume of data and/or range of different data items being processed
• Duration, or permanence, of the processing activity
• Geographical extent

Question 6

What are some examples of “large scale” data processing”?

Answer 6

• Processing of patient data in the regular course of business by a hospital
• Processing of travel data of individuals using a city’s public transport system (e.g. tracking via
  travel cards)
• Processing of real time geo-location data of customers of an international fast food chain for
  statistical purposes by a processor specialised in providing these services
• Processing of customer data in the regular course of business by an insurance company or a
  bank
• Processing of personal data for behavioural advertising by a search engine
• Processing of data (content, traffic, location) by telephone or internet service providers

Question 7

What is defined as “regular and systematic monitoring”?

Answer 7

All forms of tracking and profiling on the internet.

WP29 interprets ‘regular’ as meaning one or more of the following:
 Ongoing or occurring at particular intervals for a particular period
 Recurring or repeated at fixed times
 Constantly or periodically taking place

WP29 interprets ‘systematic’ as meaning one or more of the following:
 Occurring according to a system
 Pre-arranged, organised or methodical
 Taking place as part of a general plan for data collection
 Carried out as part of a strategy

Question 8

What are examples of regular and systematic monitoring?

Answer 8

operating a telecommunications network; providing telecommunications services; email
retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring,
establishment of insurance premiums, fraud prevention, detection of money-laundering); location
tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of
wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g.
smart meters, smart cars, home automation, etc.

Question 9

What is the requirement for a single DPO for a group of undertakings and a public authority respectively?

Answer 9

Group of undertakings (art. 37(2))
The DPO must be easily accessible from each establishment (to inform and give advice)

Public authority (art. 37(3))
Taking account of their organisational structure and size. The DPO must be able to exercise the tasks following from article 39 for all the authorities.

Question 10

What qualifications must a DPO have?

Answer 10

Level of expertise
The DPO should be chosen carefully, with due regard to the data protection issues that arise within the organisation.

Professional qualities
Knowledge of the business sector and of the organisation of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.
In the case of a public authority or body, the DPO should also have a sound knowledge of the
administrative rules and procedures of the organisation

Ability to fulfil its task
Fulfilling the tasks set down in article 39 but also foster a data protection culture within a company and securing compliance with the GDPR.

Question 11

Who can be designated as a DPO?

Answer 11

An employee already in a company or an external person - there must not be a conflict of interest.

The DPO must be independent and under no instructions from the company.
Must directly report to the highest management level.
Shall be bound by secrecy or confidentiality.

Question 12

What are the tasks of the DPO?

Answer 12

Article 39

(a) To inform and advise pursuant to data protection provisions
(b) To monitor compliance with GDPR and with the policies of the controller/processor - including the assignment of responsibilities, awareness-raising, training of staff and audits
(c) To advise in regards to DPIAs and monitor its perfomance
(d) To cooperate with the DPA
(e) To act as the contact point for the DPA