Do we as an SME have to employ a Data Protection Officer (DPO)?

DPO

WHO IS A DPO?

The GDPR (Single European Data Protection Regulation) makes the appointment of a DPO (Data Protection Officer) mandatory in certain cases. The DPO assists the controller or processor in matters relating to the protection of personal data. The DPO's role is therefore not to ensure that data protection incidents are avoided, but to support and maintain data protection processes.

Tasks of the Data Protection Officer:

  • provide information and technical advice to the controller or processor and their employees on their obligations under data protection law
  • monitors compliance with all data protection legislation, including audits, awareness-raising activities and training of staff involved in data processing operations;
  • advises on the data protection impact assessment and monitors the conduct of the impact assessment;
  • acts as a contact point for data subjects who contact it in relation to the processing of their personal data and the exercise of their rights;
  • cooperates with data protection authorities and acts as a contact point for the authorities on matters relating to data processing.

When is the use of a DPO mandatory?

A DPO is mandatory in the following cases:

  • processing is carried out by public authorities or other bodies with public-service mission, except courts acting in their judicial role;
  • the controller's or processor's main activities involve processing operations which, by their nature, scope and/or purposes, require systematic and systematic large-scale monitoring of data subjects - it is interesting to note that the term "large-scale" is not specifically defined;
  • the main activities of the controller or processor involve the processing of large amounts of data relating to special categories of personal data within the meaning of Article 9 and to decisions on criminal liability and criminal offences referred to in Article 10.

What does it mean?

Based on the above description, it is often not easy to decide whether a DPO is needed. Although it is rare for SMEs to be required to appoint a DPO, organisations should be careful about the second point. In this case, not only the number of data subjects and the amount of personal data processed, but also the time of processing and the geographical area concerned may have an impact on the mandatory designation of a DPO.

By way of example, in addition to utilities, municipalities, public administrations and educational institutions, SMEs that engage in data-driven marketing activities involving large data assets (loyalty programmes, marketing through mobile apps, profiling), use geolocation GPS-based technology or handle critical data (e.g. privately owned healthcare institutions) may also be subject to mandatory DPO designation. In our view, a particular doctor or lawyer should not be required to employ a DPO for the processing of data of his/her patients or clients, but in the case of, say, a private medical practice with 10 doctors, the appointment of a DPO may be justified.

If you are unsure whether you should use a DPO, please contact us and we will help you decide.

Notwithstanding the above, as it is mandatory for every organisation not only to establish but also to maintain GDPR-compliant operations, we recommend in all cases the appointment of an internal or external actor to maintain and operate data protection-related processes.

gdpr dpo

WHO CAN BE DPO?

When appointing a Data Protection Officer, we should consider the following:

  • The GDPR does not require you to have a qualification or even mandatory training, it only requires you to have the appropriate level of expertise for the complexity of the data processing. This person may be a designated staff member or an external contractor.
  • The organization must involve a data protection officer in the organization's operations in a timely manner.
  • The DPO shall not receive instructions from the controller or processor in connection with the performance of his or her duties. The DPO shall be directly responsible to the top management of the organisation.

In the light of the above, when appointing a DPO, attention should therefore be paid to potential conflicts of interest and conflicts of responsibility and authority. Of course, these problems do not exist in the case of an external DPO.

DPO OR DATA PROTECTION OVERSIGHT?

Even if the organisation does not designate a DPO, it is always recommended that a person responsible for data protection be appointed. The goal with GDPR is not only to establish compliance, but also to maintain it. Our experience has shown that in many cases it is too much of an additional burden for organisations to appoint an internal staff member for this purpose, as regular audits, continuous monitoring and interpretation of NAIH positions and continuous improvement of operations mean extra work for already overburdened colleagues, and hiring a new staff member is often more expensive than an external DPO or system monitoring service.

Whether it's DPO tasks or GDPR system monitoring services, our Certified Information Security Manager (CISM) qualified experts can perform these tasks efficiently and affordably.
Have a question? Contact us!