Role of the Data Protection Officer (DPO)

Topic 5: role of the DPO This guide was produced by the STAR project (Support Training Activities on the data protection Reform; 2017-2019), which is co-funded by the European Union under the Rights, Equality and Citizenship Programme 2014-2020 (REC- RDAT-TRAI-AG-2016) under Grant Agreement No. 769138. More information, and other GDPR training resources can be found at: www.project-star.eu

Guidance for using these slides (remove before delivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assigned to a specific audience (see relevant for: in the notes). In the notes-section below each slide, you find an indication of the slide s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notes thoroughly Take a look at the reading materials they also serve to assist you in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click hide slide ]. A provisional categorisation has been made based on the depth and importance of the respective content Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation s layout

How to Read The Slides Colour Frames [Remove Before Delivering] Green Is a basic slide: we encourage you to keep it Yellow is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content 3

Speaker Name Title Department Contact details

These slides explores one of the most relevant changes in the new regime, which is the obligation for some organisations to appoint a Data Protection Officer (DPO), a corporate role tasked with facilitating compliance with the GDPR provisions. It gives an overview on when and how to appoint one, and what DPOs are tasked with. 5

Table of contents What is a DPO? 1. Designation of a DPO: When do I need a DPO? a) What does a DPO do? b) functions and activities i. roles and competencies ii. Organisational requirements for the DPO c) Expertise and skills of a DPO d) How to become a DPO? e) How to choose a DPO? f) Checklist DPO g) Q & A 2. Wrap-up and feedback 3.

Objectives Explain the role of DPOs in the protection of natural persons rights with regard to the processing of their personal data Provide an owerview on the activities of a DPA Help to create a better understanding of the operation of the national supervisory authority 7

Introductions What s your level of experience with data protection? What do you know about a DPO? Is there anything in particular you are hoping to get out of today? 8

Relevant Articles of the GDPR concerning Data Protection Officers (DPOs) Not entirely new concept introduced by Data Protection Directive 95/46/EC (some 38% of EU Member States made the appointment of a DPO compulsory in certain cases) GDPR: Data Protection Officer (DPO) a corporate role tasked with facilitating compliance with the GDPR provisions and other applicable data protection rules (Recital 97), in certain cases mandatory Designation of DPO (Art. 37.) Position of DPO (Art. 38.) Tasks of DPO (Art. 39.)

Table of contents What is a DPO? 1. Designation of a DPO: When do I need a DPO? a) What does a DPO do? b) functions and activities i. roles and competencies ii. Organisational requirements for the DPO c) Expertise and skills of a DPO d) How to become a DPO? e) How to choose a DPO? f) Checklist DPO g) Q & A 2. Wrap-up and feedback 3.

Designation of a DPO: When do I need a DPO? 19-3- 2025 | 11

When do I need a DPO? Mandatory 1. DPO Public authority Regular and systematic monitoring of data subjects on a large scale Processing on a large scale of special categories of data/criminal convictions Voluntary 2. Mandatory Voluntary Public authority Sensitive data Surveillance 19-3- 2025 | 12

Mandatory DPO: public authority Article 37 (1) (a) GDPR: The controller and the processor shall designate a data protection officer in any case where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. WP29 considers that public authority is to be determined under national law National Regional Local Other bodies governed by public law 19-3- 2025 | 13

Mandatory DPO: Surveillance Article 37 (1) (b) GDPR: The controller and the processor shall designate a data protection officer in any case where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of data subjects on a large scale .

What is a core activity? Primary activities of the controller/processor = key operations necessary to achieve the business goal of a controller or a processor Core activity need not be the processing of personal data BUT that the processing is inextricably linked to the main activity of a business Examples core activity surveillance Advertising company Private security company for monitoring shopping centres via video Furniture store that sells furniture online and uses cookies to analyse its customers as the business strategy is to expand further across Europe Personnel service provider for factories 19-3- 2025 | 15

What is NOT a core activity? If the processing of personal data is merely ancillary Merely ancillary means it is business supporting activity (administrative), that is not specifically linked to the strategy of a business Activities that most companies need to do are ancillary, e.g. HR, tax Examples ancillary activity Processing employee s data for payment of their salaries Online shoe shop stores customer data (name, delivery address) in order to deliver the shoes 19-3- 2025 | 16

Case studies regarding core activity 1. Social network - core activity? 2. Middle-sized factory building tractors, processing employee data core activity? 3. Animal shelter using a Website to post pictures of animals in need of adopting core activity? 4. Dating site core activity? 5. Apps core activity? 19-3- 2025 | 17

What is meant by large scale? How many data subjects are concerned? What volume of data is being processed? What range of different data items is being processed? How long does the data processing take place? What is the geographical reach of the data processing? 19-3- 2025 | 18

Case studies regarding large scale (& core activity) A private company offering public transport services uses key cards for access and use of its transport means (e.g. in Brussels or London). Core activity? Large scale? An international fast-food chain hires an analytics company to make statistics about its customers. Core activity? Large scale? A bank or insurance company processing data about their clients. Core activity? Large scale? A search engine of a search engine uses personal data of its users to personalise the advertisements advertisement). Core activity? Large scale? A regional telephone or internet service provider processes personal data in the ordinary course of business. Core activity? Large scale? An international dating app processes personal data in order to match registered users. Core activity? Large scale? it is showing them (behavioural 19-3- 2025 | 19

What is monitoring? 1. What is monitoring ? All activities that record personal data to observe different (surveillance). Includes all kinds of profiling and tracking on the internet, including for behavioural advertising. Does not need to be online! behaviours 19-3- 2025 | 20

When is monitoring regular? Ongoing or occurring at particular intervals for a particular period, OR constantly OR periodically taking place. As soon as the monitoring is being repeated or can be easily repeated. One-time monitoring is not enough! 19-3- 2025 | 21

When is monitoring systematic? Monitoring is occurring according to a system, pre-arranged, organized or methodical. Results of monitoring are systematically recorded. Monitoring is not random in terms of time and place. 19-3- 2025 | 22

EXAMPLES: Regular and systematic monitoring (surveillance) Operating a telecommunications network or providing telecommunication services Data-driven marketing activities, including behavioural advertising Profiling and scoring for purposes of risk assessment (e.g. for the purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering) Location tracking, e.g. by mobile apps Loyalty programs Monitoring of wellness, fitness and health data via wearable devices Connected devices, e.g. smart meters, smart cars, home automation 19-3- 2025 | 23

Case studies: Regular and systematic monitoring (repeat of large scale) PART I 1) A private company offering public transport services uses key cards for access and use of its transport means (e.g. in Brussels or London) displaying the name and photo of the passenger. Regular and systematic monitoring? 2) An international fast-food chain hires an analytics company to make statistics about its customers. The analytics company pseudonymised the data of each customer. Regular and systematic monitoring? 3) A bank or insurance company processing data about their clients. Regular and systematic monitoring? 19-3- 2025 | 24

Case studies: Regular and systematic monitoring (repeat of large scale) PART II 4) A search engine of a search engine uses personal data of its users to personalise the advertisements it is showing them (behavioural advertisement). Regular and systematic monitoring? 5) A regional telephone or internet service provider processes personal data in the ordinary course of business. Regular and systematic monitoring? 6) An international dating app processes personal data in order to match registered users. Regular and systematic monitoring? 19-3- 2025 | 25

Exercise on mandatory DPO for surveillance A factory constructs lawn-mowers. VARIATION 1: They install a video surveillance system to record who is accessing and leaving the factory (the system does not collect special categories of data). They do the processing of the data from the system themselves. VARIATION 2: They employ a security company, to monitor access to their premises. The security company is tasked to record who is accessing or leaving the factory, and to identify all of the individuals. They install a video system for that purpose (they do not collect special categories of data). The security company specialises in workplace security enhancement of that kind and offers these kinds of services to several factories. Question: Does any of the actors need to designate a DPO? Why? Why not? 19-3- 2025 | 26

Mandatory DPO: Sensitive Data Article 37 (1) (c) GDPR: The controller and the processor shall designate a data protection officer in any case where: the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 19-3- 2025 | 27

EXAMPLES Core activity sensitive data Core activity sensitive data 1. EXAMPLE 1: Private hospital EXAMPLE 2: Private prison Large scale sensitive data 2. EXAMPLE 1: Private hospital EXAMPLE 2: An individual dentist uses a computer data base to store x- rays and diagnosis of his or her patients. EXAMPLE 3: A lawyer processes personal data of his or her clients, including criminal convictions and offense 19-3- 2025 | 28

Case studies: processing on a large scale of special categories of data/criminal convictions as a core activity PART I 1) Running app: A running app requests the user to give the following data: age, weight, height. It then shows the BMI. It records each run the users takes, including length and time. It regularly asks the user to update the information, to track potential weight loss or gain. Core activity? Large scale? Sensitive data? 2) A social media network encourages users to state political preference/religion/philosophical information it receives for behavioural advertising. Core activity? Large scale? Sensitive data? beliefs. It uses the 19-3- 2025 | 29

Cae studies: processing on a large scale of special categories of data/criminal convictions as a core activity PART II An international criminal law firm that has cases in several EU member states and in third countries, operates with a central client data base that also includes information on criminal convictions and offences. Core activity? Large scale? Sensitive data? 3) VARIATION of 3): A one man law firm introduces such a data base for his or her own clients. Core activity? Large scale? Sensitive data? 4) A physio-therapist/personal trainer keeps charts and information on each patient in an online system, including weight, height, medical ails etc. Core activity? Large scale? Sensitive data? 5) 19-3- 2025 | 30

ATTENTION! There are no exceptions once you fall under one of the cases for mandatory DPO designation. Member State can add more mandatory instances. Other EU law can add more mandatory instances. 19-3- 2025 | 31

Voluntary DPO Article 37 (4) GDPR: In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may( ) designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 19-3- 2025 | 32

QUESTIONS about when do I need a DPO? 19-3- 2025 | 33

Table of contents What is a DPO? 1. Designation of a DPO: When do I need a DPO? a) What does a DPO do? b) functions and activities i. roles and competencies ii. Organisational requirements for the DPO c) Expertise and skills of a DPO d) How to become a DPO? e) How to choose a DPO? f) Checklist DPO g) Q & A 2. Wrap-up and feedback 3.

What does a DPO do? 19-3- 2025 | 35

Tasks of a DPO Part I 1. All issues related to the protection of personal data DPO works on ALL data protection issues, not just those under the GDPR DPO applies a risk-based approach 2. Monitoring compliance with the GDPR Inform and advise the company and employees about their obligations Audits Awareness-raising and training staff 36

Tasks of a DPO Part II 3. Role in data protection impact assessments It is in principle the task of the controller to conduct a data protection impact assessment. The controller must ask DPO for advice about: o if to carry it out o methodology o potential outsourcing o how to mitigate risks o conclusions 4. Direct reporting to senior management Article 38 (3) GDPR: ( )The data protection officer shall directly report to the highest management levelof the controller or the processor . Reporting about all data protection activities Frequency depends on urgency Special attention to cases where DPO dissents with a data protection management decision

Tasks of a DPO Part III 5. Cooperating with supervisory authorities and being a contact point for data subjects DPO should facilitate and mediate between its organisation and the supervisory authority. DPO should help the supervisory authorities to gain access to the necessary documents and information. DPO should also act as a contact point for data subjects that are having questions or issues with the processing of their personal data. 6. Optional tasks Record-keeping Data management systems Regular report over all data protection activities

QUESTIONS about what does a DPO do? 19-3- 2025 | 39

Table of contents What is a DPO? 1. Designation of a DPO: When do I need a DPO? a) What does a DPO do? b) functions and activities i. roles and competencies ii. Organisational requirements for the DPO c) Expertise and skills of a DPO d) How to become a DPO? e) How to choose a DPO? f) Checklist DPO g) Q & A 2. Wrap-up and feedback 3.

What are the organisational requirements for a DPO? 41

Organisational requirements for a DPO 1) DPO at the Controller or at the Processor 2) Status of the DPO within an organization 3) Necessary resources 4) Autonomy of the DPO 5) Secrecy and confidentiality 6) Publicity of DPO contact details 7) DPOs for more than one entity 19-3- 2025 | 42

1. DPO at the Controller or the Processor? Both Controllers and Processors can be required to designate a DPO Sometimes only the Controller designates a DPO Sometimes only the Processor designates a DPO EXAMPLE 1: A small family business active in the distribution of household appliances in a single town uses the services of a processor whose core activity is to provide website analytics services and assist with targeted advertising and marketing. EXAMPLE 2: A medium-sized tile manufacturing company subcontracts its occupational health services to an external processor, which has a large number of similar clients. 19-3- 2025 | 43

2. Status of a DPO within an organisation Article 38 (1) GDPR: The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. DPO must be in a position to be involved in that manner. DPO must be involved as early as possible. DPO must be a discussion partner within an organisation for all data protection issues. 19-3- 2025 | 44

EXAMPLES for the correct position of a DPO The DPO is invited to participate regularly in meetings of senior and middle management. DPO is present when decisions with data protection implications are taken. The opinion of the DPO are always be given due weight. The DPO is promptly consulted once a data breach or other incident has occurred. The DPO is accessible. 19-3- 2025 | 45

3. Necessary resources for a DPO Article 38 (2) GDPR: The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. 19-3- 2025 | 46

4. Autonomy of a DPO Article 38 (3) GDPR: The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks ( ). no istructions no dismissal/penalty no conflict of interest 19-3- 2025 | 47

Autonomy of a DPO II No instructions 1. DPO must be independent within an organization. DPO must not be instructed how to deal with a matter, what result should be achieved in a certain data protection investigation, how to investigate a complaint or whether to consult the supervisory authority 2. No dismissal/penalty Example for wrongful dismissal: A DPO considers that a particular processing is likely to result in a high risk and therefore advises his or her company to carry out a data protection impact assessment, but the company does not agree with the DPO s assessment, and therefore wants to dismiss the DPO to hire a colleague of whom they know that he will have a different opinion. 3. No conflict of interest Article 38 (6) GDPR: The data protection officer may fulfil other tasks and duties. The controller or the processor shall ensure that any such tasks and duties do not result in a conflict of interests. 19-3- 2025 | 48

What constitutes a conflict of interest ? A DPO cannot be the controller = A DPO cannot be the person who decides about the purposes and means of the personal data processing. Examples for incompatible positions: Chief executive Chief operating Chief financial Chief medical officer Head of marketing department Head of Human Resources Head of IT department 19-3- 2025 | 49

5. Secrecy and confidentiality Article 38 (5) GDPR: The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union and Member State law. 19-3- 2025 | 50