To DPO or Not to DPO: Revised Guidance Issued on Data Protection Officers Under GDPR

Taylor Steinbacher, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

If you are a hospital processing European Union (EU) patient data, if you maintain EU customer loyalty programs, or if you engage in behavioral advertising of EU citizens, you may be required to appoint a data protection officer (DPO) by May 2018.

Earlier this month, the Article 29 Working Party (WP29) issued revised guidance regarding the appointment of data protection officers under the General Data Protection Regulation (GDPR), the new EU privacy regulation which goes into effect in May 2018. These revisions build upon guidance initially adopted in December 2016.

Who Must Appoint a DPO?

GDPR creates a new stipulation: the appointment of a data protection officer to monitor compliance of the organization with the requirements of GDPR. These include all controllers and processors who are "public authorities and bodies." In the private sector, DPOs must be appointed by entities which, as a core activity, monitor individuals systematically and on a large scale, or that possess special categories of personal data on a large scale. Even if an entity is not required to appoint a DPO, the WP29 guidance recommends that one be appointed on a voluntary basis.

The guidance characterizes "core activities" as key activities necessary to achieve the entity's goals, but also practices whereby data processing is "an inextricable part" of the entity's operations. As an example, the guidance states that while data processing likely would not be considered a core activity of a hospital, the hospital could not provide safe patient care without processing health data records and thus should appoint a DPO.

WP29 counsels that "regular and systemic monitoring" includes all forms of tracking and profiling on the internet. WP29 additionally notes that "regular" would mean "ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times; and constantly or periodically taking place." And "systematic" would mean "occurring according to a system; pre-arranged, organized, or methodical; taking place as part of a general plan for data collection; and carried out as part of a strategy."

Examples include providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioral advertising; connected devices e.g. smart meters, smart cars, home automation, etc.

WP29 recommends that the following factors be taken into account to determine whether an organization is processing data on a large scale:

  • The number of data subjects concerned—either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

Examples of large-scale processing include:

  • Processing of patient data in the regular course of business by a hospital
  • Processing of travel data of individuals using a city's public transport system (e.g. tracking via travel cards)
  • Processing of real-time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in providing these services
  • Processing of customer data in the regular course of business by an insurance company or a bank
  • Processing of personal data for behavioral advertising by a search engine
  • Processing of data (content, traffic, location) by telephone or internet service providers

DPO Can Be Outside the EU

A DPO may be a single person or a team of people. If an organization prefers, it may contract to appoint an external DPO (or an external DPO team) rather than using a person within the organization.

The WP29 generally recommends that an organization's DPO be physically located in the EU. However, for organizations that have no establishment within the European Union, WP29 recognized that a DPO may be able to carry out his or her activities more effectively if located outside the EU.

In order for an organization's DPO to carry out his or her duties effectively, the GDPR requires that the DPO be given adequate resources and be allowed to maintain their independence and autonomy within their organization. This includes refraining from placing the DPO in a position by which he or she could have a conflict of interest.

Organizations should take care to review these guidelines and determine whether to appoint a DPO well in advance of the effective date of the GDPR to ensure compliance.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide