Article 29 ANNEX - FREQUENTLY ASKED QUESTIONS
The objective of this annex is to answer, in a simplified and easy-to-read format, some of the key questions that organisations may have regarding the new requirements under the GDPR to appoint a DPO.
1 Which organisations must appoint a DPO?
The designation of a DPO is an obligation:
if the processing is carried out by a public authority or body (irrespective of what data is being processed)
if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
Note that Union or Member State law may require the designation of DPOs in other situations as well. Finally, even if the designation of a DPO is not mandatory, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts. When an organisation designates a DPO on a voluntary basis, the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.
Source: Article 37(1) of the GDPR
2 What does ‘core activities’ mean?
‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.
On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.
Source: Article 37(1)(b) and (c) of the GDPR
3 What does ‘large scale’ mean?
The GDPR does not define what constitutes large-scale processing. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
the number of data subjects concerned - either as a specific number or as a proportion of the relevant population
the volume of data and/or the range of different data items being processed
the duration, or permanence, of the data processing activity
the geographical extent of the processing activity
Examples of large scale processing include:
processing of patient data in the regular course of business by a hospital
processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
processing of customer data in the regular course of business by an insurance company or a bank
processing of personal data for behavioural advertising by a search engine
processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
processing of patient data by an individual physician
processing of personal data relating to criminal convictions and offences by an individual lawyer
Source: Article 37(1)(b) and (c) of the GDPR
4 What does ‘regular and systematic monitoring’ mean?
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
WP29 interprets ‘regular’ as meaning one or more of the following:
ongoing or occurring at particular intervals for a particular period
recurring or repeated at fixed times
constantly or periodically taking place
WP29 interprets ‘systematic’ as meaning one or more of the following:
occurring according to a system
pre-arranged, organised or methodical
taking place as part of a general plan for data collection
carried out as part of a strategy
Source: Article 37(1)(b) of the GDPR
5 Can organisations appoint a DPO jointly? If so, under what conditions?
Yes. A group of undertakings may designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority and also internally within the organisation. In order to ensure that the DPO is accessible, whether internal or external, it is important to make sure that their contact details are available. The DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.
A single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size. The same considerations with regard to resources and communication apply. Given that the DPO is in charge of a variety of tasks, the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies.
Source: Article 37(2) and (3) of the GDPR
6 Where should the DPO be located?
To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.
7 Is it possible to appoint an external DPO?
Yes. The DPO may be a staff member of the controller or the processor (internal DPO) or fulfil the tasks on the basis of a service contract. This means that the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation.
When the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR.
For the sake of legal clarity and good organisation and to prevent conflicts of interests for the team members, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and person 'in charge' of the client.
Source: Article 37(6) of the GDPR
8 What are the professional qualities that the DPO should have?
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
Relevant skills and expertise include:
expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
understanding of the processing operations carried out
understanding of information technologies and data security
knowledge of the business sector and the organisation
ability to promote a data protection culture within the organisation
Source: Article 37(5) of the GDPR
Position of the DPO
9 What resources should be provided to the DPO by the controller or the processor?
The DPO must have the resources necessary to be able to carry out his or her tasks.
Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:
active support of the DPO’s function by senior management
sufficient time for DPOs to fulfil their tasks
adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
official communication of the designation of the DPO to all staff
access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
continuous training
Source: Article 38(2) of the GDPR
10 What are the safeguards to enable the DPO to perform her/his tasks in an independent manner? What does ‘conflict of interests’ mean?
Several safeguards exist in order to enable the DPO to act in an independent manner:
no instructions by the controllers or the processors regarding the exercise of the DPO’s tasks
no dismissal or penalty by the controller for the performance of the DPO’s tasks
no conflict of interest with possible other tasks and duties
The other tasks and duties of a DPO must not result in a conflict of interests. This means, first, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
Source: Article 38(3) and 38(6) of the GDPR
Tasks of the DPO
11 What does ‘monitoring compliance’ mean?
As part of these duties to monitor compliance, DPOs may, in particular:
collect information to identify processing activities
analyse and check the compliance of processing activities
inform, advise and issue recommendations to the controller or the processor
Source: Article 39(1)(b) of the GDPR
12 Is the DPO personally responsible for non-compliance with data protection requirements?
No. DPOs are not personally responsible for non-compliance with data protection requirements. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation. Data protection compliance is the responsibility of the controller or the processor.
13 What is the role of the DPO with respect to data protection impact assessments and records of processing activities?
As far as the data protection impact assessment is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:
whether or not to carry out a DPIA
what methodology to follow when carrying out a DPIA
whether to carry out the DPIA in-house or whether to outsource it
what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements
As far as the records of processing activities are concerned, it is the controller or the processor, not the DPO, who is required to maintain records of processing operations. However, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controller or the processor. Such records should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.
Source: Article 39(1)(c) and Article 30 of the GDPR
1 Which organisations must appoint a DPO?
The designation of a DPO is an obligation:
if the processing is carried out by a public authority or body (irrespective of what data is being processed)
if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
Note that Union or Member State law may require the designation of DPOs in other situations as well. Finally, even if the designation of a DPO is not mandatory, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts. When an organisation designates a DPO on a voluntary basis, the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.
Source: Article 37(1) of the GDPR
2 What does ‘core activities’ mean?
‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.
On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.
Source: Article 37(1)(b) and (c) of the GDPR
3 What does ‘large scale’ mean?
The GDPR does not define what constitutes large-scale processing. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
the number of data subjects concerned - either as a specific number or as a proportion of the relevant population
the volume of data and/or the range of different data items being processed
the duration, or permanence, of the data processing activity
the geographical extent of the processing activity
Examples of large scale processing include:
processing of patient data in the regular course of business by a hospital
processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
processing of customer data in the regular course of business by an insurance company or a bank
processing of personal data for behavioural advertising by a search engine
processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
processing of patient data by an individual physician
processing of personal data relating to criminal convictions and offences by an individual lawyer
Source: Article 37(1)(b) and (c) of the GDPR
4 What does ‘regular and systematic monitoring’ mean?
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
WP29 interprets ‘regular’ as meaning one or more of the following:
ongoing or occurring at particular intervals for a particular period
recurring or repeated at fixed times
constantly or periodically taking place
WP29 interprets ‘systematic’ as meaning one or more of the following:
occurring according to a system
pre-arranged, organised or methodical
taking place as part of a general plan for data collection
carried out as part of a strategy
Source: Article 37(1)(b) of the GDPR
5 Can organisations appoint a DPO jointly? If so, under what conditions?
Yes. A group of undertakings may designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority and also internally within the organisation. In order to ensure that the DPO is accessible, whether internal or external, it is important to make sure that their contact details are available. The DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.
A single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size. The same considerations with regard to resources and communication apply. Given that the DPO is in charge of a variety of tasks, the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies.
Source: Article 37(2) and (3) of the GDPR
6 Where should the DPO be located?
To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.
7 Is it possible to appoint an external DPO?
Yes. The DPO may be a staff member of the controller or the processor (internal DPO) or fulfil the tasks on the basis of a service contract. This means that the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation.
When the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR.
For the sake of legal clarity and good organisation and to prevent conflicts of interests for the team members, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and person 'in charge' of the client.
Source: Article 37(6) of the GDPR
8 What are the professional qualities that the DPO should have?
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
Relevant skills and expertise include:
expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
understanding of the processing operations carried out
understanding of information technologies and data security
knowledge of the business sector and the organisation
ability to promote a data protection culture within the organisation
Source: Article 37(5) of the GDPR
Position of the DPO
9 What resources should be provided to the DPO by the controller or the processor?
The DPO must have the resources necessary to be able to carry out his or her tasks.
Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:
active support of the DPO’s function by senior management
sufficient time for DPOs to fulfil their tasks
adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
official communication of the designation of the DPO to all staff
access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
continuous training
Source: Article 38(2) of the GDPR
10 What are the safeguards to enable the DPO to perform her/his tasks in an independent manner? What does ‘conflict of interests’ mean?
Several safeguards exist in order to enable the DPO to act in an independent manner:
no instructions by the controllers or the processors regarding the exercise of the DPO’s tasks
no dismissal or penalty by the controller for the performance of the DPO’s tasks
no conflict of interest with possible other tasks and duties
The other tasks and duties of a DPO must not result in a conflict of interests. This means, first, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.
As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.
Source: Article 38(3) and 38(6) of the GDPR
Tasks of the DPO
11 What does ‘monitoring compliance’ mean?
As part of these duties to monitor compliance, DPOs may, in particular:
collect information to identify processing activities
analyse and check the compliance of processing activities
inform, advise and issue recommendations to the controller or the processor
Source: Article 39(1)(b) of the GDPR
12 Is the DPO personally responsible for non-compliance with data protection requirements?
No. DPOs are not personally responsible for non-compliance with data protection requirements. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation. Data protection compliance is the responsibility of the controller or the processor.
13 What is the role of the DPO with respect to data protection impact assessments and records of processing activities?
As far as the data protection impact assessment is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:
whether or not to carry out a DPIA
what methodology to follow when carrying out a DPIA
whether to carry out the DPIA in-house or whether to outsource it
what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements
As far as the records of processing activities are concerned, it is the controller or the processor, not the DPO, who is required to maintain records of processing operations. However, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controller or the processor. Such records should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.
Source: Article 39(1)(c) and Article 30 of the GDPR