In our “Could your DPO be in a position of a conflict of interests?” blog, we reviewed the administrative fine of 50,000 EUR imposed by the Belgian Data Protection Authority on a company for failing to ensure the absence of conflict of interests in the tasks assigned to the Data Protection Officer (DPO).
In June 2020, the Spanish Data Protection Agency (AEPD) has also issued a resolution in relation to the DPO requirements under the General Data Protection Regulation (GDPR). In this case, an administrative fine of 25,000 EUR was imposed by the AEPD on a company for infringing the obligation to appoint a DPO as required in Article 37 of GDPR.
Article 37 of GDPR mandates the obligation to appoint a DPO in three circumstances, specifically where an organisation:
- Is a public authority;
- Its core activities consist of large-scale data processing that requires regular and systematic monitoring of individuals; or
- Its core activities involve processing of special categories of data (i.e. sensitive data), or data relating to criminal convictions and offences, on a large scale.
Following the AEPD’s investigation, the company argued that their processing activities were exempt from the obligation to appoint a DPO. Simultaneously, they also claimed that the DPO’s tasks were performed by the company’s data protection committee.
However, the AEPD concluded that the company carries out personal data processing at large scale, which triggers the obligation to appoint a DPO (Art 37.1.b GDPR). To determine that the company was engaging in large-scale processing, the AEPD took into consideration the number of customers that the company had.
Moreover, the AEPD considered the company’s claim that the DPO’s tasks were performed by the company’s data protection committee. The AEPD highlighted that at the time of the sanctioning procedure, when accessing the privacy notice on the company’s website, the notice did not mention any information on the data protection committee acting as the DPO, that would have confirmed such an appointment. As such, the company also failed to comply with the transparency requirements to include the information and contact details of the DPO in their privacy notice as provided in Articles 13 and 14 of GDPR.
This resolution highlights the new approach to data protection compliance introduced by the GDPR, with a marked focus on internal accountability. It describes the DPO as playing critical role within an organisation’s privacy governance. In particular, as outlined in Article 39 of the GDPR, the role of a DPO is to inform and advise an organisation of its obligations under the GDPR. Their responsibility involves overseeing a company’s data protection strategy, its implementation, and monitoring compliance with GDPR requirements. As a result, the DPO’s position should be exercised with independence and autonomy.
The GDPR allows the DPO role to be contracted both:
- Internally, by a staff member, with “expert knowledge of data protection law and practices”, and with the ability to act independently. It is crucial for an organisation to ensure that the staff member’s other tasks and responsibilities in the company do not conflict with their duties as a DPO.
- Externally, by outsourcing an independent DPO service provider.