29 Oct WELL, SHOULD MY COMPANY IN SPAIN HIRE A DATA PROTECTION OFFICER (DPO) OR NOT?
Well that depends, and we can not give one of those short and succinct answers that we all would expect, especially in an area of business obligations so important and on which to break the order means a risk of having to face very high economic sanctions or fines. And the reason is simply that the law as it is currently written does not allow an exact, concrete and totally enlightening interpretation of the issue. But let us not be frightened: there are many criteria that, if we look with a little attention and detail, will clear your doubts and sure will make you come to the conclusion you need.
Let’s do it.
Let’s start with the general part of the answer: according to article 37.1 of the General Data Protection Regulation (UE) 2016/679 (GDPR), the person in charge of the treatment shall designate a Data Protection Officer (DPO), provided that:
- The treatment is carried out by a public authority or body, except for the Courts that act in the exercise of their judicial function;
- The principal activities of the person responsible or the manager consist of treatment operations which, because of their nature, scope and/or purposes, require a large-scale habitual and systematic observation of stakeholders, or
- The principal activities of the responsible or the manager consist of the Large-scale treatment of special categories of data under article 9 (Personal data revealing ethnic or racial origin, political opinions, religious or philosophical convictions, or union affiliation, and the processing of genetic data, biometric data aimed at unambiguously identifying a natural person, health data or data relating to the sexual life or sexual orientation of a natural person) or personal data relating to convictions and criminal offences referred to in article 10.
And now let’s go to the interpretation of the opaque points of this rule, which as you will have noticed, are the paragraphs B. and C. above, as paragraph A. is a blessing of clarity and you will not need to rack your brains over it to understand, (thank you very much).
The notion of habitual and systematic observation of stakeholders is not defined in The GDPR, but the concept of ‘ observing the behaviour of stakeholders ‘ is mentioned in other parts of the regulation and clearly includes any form of follow-up and creating profiles on the Internet, or also this for advertising purposes based on people’s behaviors.
However, the concept of observation is not limited to the on-line environment and the on-line monitoring should be considered just an example of the observation of the behaviour of stakeholders.
“Habitual” shall be interpreted with one or more of the following meanings:
–Continued or occurring at specific intervals for a specific period;
–Recurrent or repeated at prefixed times;
-Which takes place in a constant or periodic way.
“Systematic” must be interpreted with one or more of the following meanings:
-Which is produced according to a system;
–Pre-established, organized or methodical;
-Which takes place as part of a general data collection plan;
-Carried out as part of a strategy.
Okay, and now what do we mean by large-scale treatment?
Alright, this is where we have to deal with great intangibles, because the GDPR does not define it and it is not possible to give an exact figure, either in relation to the amount of data processed or the number of people affected, which could be applied in all situations. However, this does not preclude the possibility of the authorities developing, over time, a standard method of identifying such a concept in more specific or quantitative terms.
In the meantime, I fear that we must ponder a little more, and at least the institutional bodies that are interpreting with officiality and exquisiteness of what heck we are talking about recommend that the following factors be taken into account, in particular when determining whether the treatment is done on a large scale:
-The number of stakeholders affected either as a particular figure or as a proportion of the population concerned;
-The volume of data or the variety of data elements that are the subject of Treatment
-The duration, or permanence, of the data processing activity;
-The geographical scope of the treatment activity.
As examples of large-scale treatment, the European Data Protection Board (EDPB) cites the following. (Something is something, see if they talk about you and you can go to hunt a DPO):
-The treatment of patient data in the normal development of the activity of a Hospital
-The treatment of displacement data for people using the system of Public transport in a city (e.g. tracking through Transport);
-The processing of real-time geolocation data from clients of an International fast food chain for statistical purposes by a member of the Responsible for specialized treatment in the provision of these services;
-The processing of customer data in the normal development of the activity of an Insurance company or bank;
-The processing of personal data for behavioral advertising by an searching engine;
-Data processing (content, traffic, location) by service providers of telephony or Internet.
On the contrary, as cases that do not constitute treatment on a large scale (see if now they refer to you and you can go to have a pint):
-The treatment of patient data by a single physician;
-The processing of personal data concerning convictions and criminal offences by an attorney.
Those of you who are still there (yes, I know, you are thirsty crowd), you have to take into account that both from the EU and the Spanish Agency for Data Protection (AEPD), and within the framework of the principle of proactive responsibility, it is urged that the managers and managers of Treatment document the internal analysis carried out to determine whether or not a DPO should be named, in order to be able to demonstrate that the relevant factors have been duly taken into account. This analysis is part of the documentation required under the principle of accountability. It can be demanded by the control authority and must be updated when necessary.
When an organization designates a DPO voluntarily, which is a recommendation made by the authorities in the face of the slightest doubt that arises about the possibility of being obliged to designate one DPO (as it makes their life easier while you spend a few bucks, come on!, it won’t be a big pile, I assure you), his position and his tasks shall be as per the requirements established in articles 37 to 39 of the GDPR, as if the appointment were obligatory according to the assessed assumptions. In the same way, let’s clarify that the function of the DPO can also be exercised in the framework of a contract of services subscribed with a natural person or with an organization outside the organization of the manager or the manager of the Treatment.
In short, with all that information, you should analyze when determining the obligation or not to have a DPO, what sensitive data you treat (for example, Health data), the number of treatments, the geographical scope, etc…