How to choose a DPO? Practical insights
Under the GDPR framework, data controllers and data processors equally have the obligation to appoint a DPO if certain conditions are met. In the event they voluntarily opt to appoint a DPO, the complete set of rights and obligations surrounding the DPO position becomes applicable as such.
Under the GDPR, the duties of the DPO may be met internally or outsourced to a specialized and/or authorized third party DPO company.
Who needs to appoint it?
This article will not focus on the cases when the appointment of the DPO is a must. Article 29 Working Party (Art. 29 WP) has issued pages of guidelines to this end. Considering the relevant criteria of the GDPR and Art. 29 WP guidance, for many companies it will actually be hard to document that they are exempt. In any event, if a company truly believes it does not need to appoint a DPO, it should very clearly and professionally explain and document in writing such conclusion. To this end, all internal analysis, cognitive process, separate opinion, internal meetings, external advice related documents should be archived with a view to document the best efforts for GDPR compliance.
In any event, as noted, both data controllers and data processors meeting the criteria must appoint a DPO. Cloud providers, as one of the most obvious categories of data processors, should equally appoint a DPO is they meet the legal criteria for having this obligation. We note that, in Romania, the supervisory authority recommended to the data controllers and data processors who do not fulfill the criteria listed by GDPR in art. 37 to appoint a DPO on voluntary basis.
What does it look like?
The DPO should have proficient knowledge of data protection law and practices and the ability to fulfill a series of tasks expressly prescribed by the GDPR, as well as any related operations necessary for fulfilling such tasks.
Art. 29 WP again provides guidance on these requirements:
- knowledge of data protection law refers to expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR;
- the level of expertise must be proportional with the sensitivity, complexity and amount of data processed by an organization, while
- the ability to fulfill tasks refers both to the knowledge of the DPO and also to its position within the organization.
Within the organization, the DPO would normally be the individual with the best expertise in data protection matters, but also senior enough in order to be able to play the role, manage all stakeholders, have sufficient top management credibility and support. The DPO must be a facilitator and be able to resist to all surrounding pressure.
The right balance of these two areas (data protection knowledge and seniority) may sometime be difficult to achieve, with seniority being though decisive in our view. Nonetheless, the required level of expertise and knowledge can also be supplemented with the support of an internal team or external support (external DPO or external consultancy support).
In the case of an internal DPO, the data controllers and data processors should be aware of the conflict of interests and independence criteria. The DPO cannot actually take any business decisions within the organization (e.g. type of personal data to be processed, the means of processing data) and cannot be in a position to validate or invalidate his/her own previous business decisions, while having another job in the same organization. Attention should be paid to personal relations and previous affiliations in order to assess the independence criteria. This brings additional limitations to the DPO selection process. Any breach of the conflict of interests restrictions is expressly sanctioned under the GDPR. Independence and delineation from conflict of interests must also be ensured in the position documentation (contract, job description, organizational chart, organization and functioning regulation, etc.).
Where can I find it?
Within the organization or outside the organization.
Inside the organization, a company will face the challenge of eliminating conflict of interests and ensuring independence.
Outside of the organization, as a new recruit-employee or freelancer, on one hand, or a separate legal entity (external DPO), on the other hand.
In a recruitment process, a company will face the recruiting burden, considering that data protection specialists are rather scarce on the market. In case this individual is licensed as a freelancer, depending on the structure of the relation, a company should pay attention to the risks of fiscal requalification as dependent position.
For many companies, an external DPO may be the most appropriate option. No doubt that a DPO is not in essence a function reserved to individuals and a company may be an external DPO. An external DPO may have additional resources, professional liability insurance, better exposure to similar projects and therefore higher expertise. However, the external DPO firm should appoint a main contact person for a certain client. This is similar, for instance, to an audit company, which must appoint a specific individual as the key responsible for a particular client account relationship (including for the purposes of the auditor registration with the trade registry).
A combination of internal and external resources may actually be the best approach in many instances. An internal DPO would ensure for instance a close management of the related data protection projects (and an appropriate and sufficient flow of information towards the external advisors), corroborated with the use of external resources (lawyers, privacy specialized companies), based on the organization business needs.
Below we have created a very brief comparison of pros and cons for the various options:
(to be used when a DPO is not required and the company did not opt-in for a DPO on voluntary basis)
How can I retain it?
Assuming that all prerequisites are cleared (e.g. conflict of interests), convincing an individual to take-over the internal DPO position can be difficult. A DPO may request, for instance, contractual liability limitations, professional liability insurance paid by the company, a certain team and budget. Evaluate such options and be prepared to confirm whether such requests can be accepted.
Offer comfort to the DPO that he/she will have all needed logistics, but most importantly, support and commitment from highest management level. No compliance program can be successful if top management commitment is missing.
Think about a remuneration system that secures the independence and the long-term dedication of the DPO, such as deferred bonus system, long term incentive plan, etc. Think about benefits, evaluation criteria and KPIs.
Evaluate the type of contract that can legally be used for retaining an internal DPO: employment contract or management/civil contract? There are opinions that a management/civil contract, while legally possible, is not in fact observing the spirit of GDPR and does not ensure the independence criteria. Assuming an assessment that would validate a management contract for this purpose, such civil contract would certainly allow better flexibility in terms of liability and termination. Moreover, by also assuming a reporting of the DPO to the top management level, a civil contract may be more suitable for this top level position with advisory and supervision role.
In any event, when a DPO would be retained under an employment contract, the following would apply under Romanian law: (i) the termination of an employee is rather strict and formal, (ii) employees can obtain in court reinstatement on the previous position, (iii) the burden of the proof lies with the employer, (iv) the employee can admit its civil liability towards the employer up to a certain limit, a court decision being necessary for the excess, (v) salary withholdings are also limited, (vi) there are opinions that liquidated damages clauses are not allowed in employment relations, (vii) employees cannot waive their legal rights, etc. Considering the express restriction under the GDPR to dismiss a DPO for performing his/her tasks, a dismissal for professional unfitness would be extremely difficult; therefore, opting for alternatives (i.e. management contract assuming clearance to use this type of contract or, ideally, external DPO) seems extremely advisable.
Moreover, irrespective of the contractual ground, an individual (internal DPO) should be far less solvable than an external DPO in case of a liability claim.
Can I share it?
Art. 29 WP makes it clear in their guidance that a DPO can be shared, for instance by a group of companies. In this case, the DPO should have local teams to support him/her in each relevant country, including, among others, with specific knowledge of the local market, supervisory authority approach and local language skills (to be able to act as contact person for the authorities and local data subjects). Irrespective of this common view and approach of Art. 29 WP, it seems that some supervisory authorities might recommend to have a DPO at the level of each group entity with legal personality (e.g. for easier access to the DPO, better communication or better monitoring of the personal data processing).
This article was intended as a practical guide to assist market actors, controllers and also processors, in making their assessment and validating the best option for their company. It is not indeed to be exhaustive or 100% correct, as it expresses opinions only.
Article provided by: Adelina-Iftime Blagean (Wolf Theiss Rechtsanwälte)