DPO Network Europe | Specialists in European Privacy Recruitment
  • In-house Privacy Recruitment
    • Clients | Expertise | Markets
    • Submit privacy vacancy
  • Contract privacy recruitment
    • Clients | Expertise | Markets
    • Submit privacy assignment
  • EU GDPR & DPOs
    • FAQs
    • DPO Appointment Decision Tree
  • Resources
  • About us
    • Contact
    • The Privacy Recruiter's Blog

The European Privacy Recruiter's Blog

​Dissecting the EU GDPR DPO requirement, some food for thought! (Part 2)

18/1/2016

 
Let's continue our analysis on the GDPR's provisions on appointment of Data Protection Officers (DPOs). We will look at the possible contract types for a DPO, the reporting line and positioning within an organization, the duties of the hiring organization and secrecy/confidentiality principles a DPO must be bound with while performing the job.
​Question 6 - Is it necessary to hire an in-house DPO on an employment contract?
​​
No. You can also hire an external DPO on the basis of a service contract. ​
​
​(Click arrow to read some food for thought)
So far, it has been quite common for companies across Europe to hire an external privacy consultant for a specific project (e.g. a PIA for a new software launch). With the Regulation, now there is the possibility to assign such an expert on an ongoing basis and with an official DPO title.

Businesses have some concerns at this point. One of them is the possible negative perception of an ‘outsider’, just as it happens with other external consultants. Note that, even for an in-house DPO, it will take some time to build the right perception within the company (an advisor? a policeman?) and gain internal acceptance. This may get more challenging if the person is an external.
​
Some are also concerned that an external DPO would not have sufficient knowledge of the business and this could result in less compliance. This depends on the amount of time the external DPO will spend at your organization. If you take this person on a full-time basis and the only difference to a regular employee would be the contract type, then the initial onboarding period won’t be longer than any other new person on an employment contract. Going forward, as the external DPO is timely involved in all matters and works closely with the teams s/he will gather sufficient knowledge on your business.

You may make a combination of in-house and external DPOs, too.  In that case, you may wish to consider factors such as the size of your entities, type of data/processing which impact their risk levels and the general level of awareness for privacy within each entity. ​
Question 7 - Reporting line & positioning
 
The DPO must report directly to the highest management level of the organization.
S/he must be in a position to perform tasks in an independent manner, should not receive any instructions regarding the exercise of his/her tasks nor could s/he be dismissed or penalized for performing those tasks. ​
​
​(Click arrow to read some food for thought)
What happens if multiple entities of the same group share a single in-house DPO? Although the DPO will be officially employed by one of the legal entities, s/he would have a solid-line reporting relationship with the highest management levels of all entities in the scope. This situation must be made clear to the employee right from the start. Next to this, you must properly inform the top management of your local entities about this role, the person’s tasks and their own responsibilities, as explained in the Regulation.

In our view, the phrase ‘no instructions’ in the Regulation refers to an operational independence to fulfil the key tasks. As a subject-matter-expert, the DPO is there to help your organization to reach business targets in a compliant way.  S/he must be able to provide advice freely on the compliant course of action. The decision to follow this expert’s advice ultimately lies with the business. 

The DPO also enjoys some protection against dismissal. You cannot dismiss or penalize the DPO just because the person is doing his/her job (e.g. cooperation with the local DPA). If the person has another role in addition to being a DPO, this protection applies only for the DPO tasks.
Question 8 – Duties of the employer

​The employer must support the DPO by providing resources necessary to carry out his/her tasks as well as to maintain his/her expert knowledge; provide access to personal data and processing operations; ensure that the DPO is properly and in a timely manner involved in all issues which relate to the protection of personal data and make his/her contact details available to the supervisory authority and to the public.
​
​(Click arrow to read some food for thought)
As for the ‘resources’, we can think of things like additional staff, a budget of own or specific tools which can enable better performance, such as a data mapping/reporting software.

‘Help maintain the DPO’s knowledge’; we think of things like specialized courses provided by public or private bodies, certification programs, seminars, conferences, books and similar.

​“Ensure that the DPO is properly and in a timely manner involved in all issues’; we think of the organization’s ‘good will’ here, treating the DPO not as if s/he is  the extended arm of the regulator but rather as a trusted advisor who helps the company reach its targets.
Question 9 - Secrecy or confidentiality 

The DPO will be bound by secrecy or confidentiality concerning the performance of his or her tasks.
​
​(Click arrow to read some food for thought)
There are a couple of situations where this may be challenging.
 
​Most companies have already confidentiality clauses in employment contracts which prohibit the employee to use and disseminate company-owned confidential information with third-parties. As the DPO will be the SPOC for the company towards local supervisory bodies and is obliged to respond/cooperate - although we are not yet sure about the level of transparency in this communication – this is an issue which must be addressed; so that the DPO is not penalized of breaching employment/service contract just because (s)he shared some company information with the local body.
​
This may also become an issue for individuals exercising a profession under confidentiality principle; such as legal counsels. External legal counsels who consider to provide services as an external DPO to an organization may need to build their engagement not as a counsel (privileged attorney-client relation) but as a regular compliance consultant.
This document has been prepared by DPO Network Europe for informational purposes only. The content of this document does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
Blog Homepage
Part I
LOOKING TO HIRE A DPO IN EUROPE?

CALL US  at +32 (0)2 308 4286
or E-MAIL US to schedule a call

Comments are closed.
Powered by Create your own unique website with customizable templates.
  • In-house Privacy Recruitment
    • Clients | Expertise | Markets
    • Submit privacy vacancy
  • Contract privacy recruitment
    • Clients | Expertise | Markets
    • Submit privacy assignment
  • EU GDPR & DPOs
    • FAQs
    • DPO Appointment Decision Tree
  • Resources
  • About us
    • Contact
    • The Privacy Recruiter's Blog