WP29 approved Revised Guidelines on DPOs


In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR).

In that occasion, WP29 approved the Revised Guidelines on DPOs (Revised Guidelines), which contain also the following highlights compared to the Guidelines on Data Protection Officer (Guidelines) previously published.

Accountability principle. The Revised Guidelines clarifies how – unless it is obvious that an organization is not required to designate a DPO – controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed. This analysis is part of the documentation under the accountability principle (Article 24(1), GDPR) and it is necessary to demonstrate that the relevant factors have been taken into account properly to make the required decision. The accountability principle also means that the DPO assessments shall (i) be requested at anytime by the supervisory authority and (ii) be kept up-to-date.

DPO’s tasks. The Revised Guidelines clarifies that the DPO “is designated for all the processing operations”. It is not relevant if the processing operations are carried out by the controller or the processor, or whether the DPO was designated on a mandatory or voluntary basis. Once appointed, the DPO is responsible for all the processing activities carried out by the organization.

The Revised Guidelines also clarify that private organizations carrying out public tasks or exercising public authority are not required to designate a DPO. However, if, as a good practice, these appoint a DPO, his/her activity covers all processing operations carried out, “including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database).”

Specification of what constitutes “regular and systematic monitoring of data subjects”. The notion of regular and systematic monitoring of data subjects is not defined in the GDPR. Whereas 24, GDPR, specifies the concept of “monitoring of the behaviour of data subjects”, including all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. The Guidelines provided several examples to explain what constitutes a “regular and systematic monitoring”. The Revised Guidelines add a reference to “data-driven marketing activities”. This might have been specified to include big data operations.

One DPO. Multiple amendments in the Revised Guidelines confirm that organizations can appoint only one DPO.

The Revised Guidelines, clarifies, for example that several organizations may designate a single DPO. The DPO can receive help and support from a team. This support would allow the DPO to efficiently communicate with data subjects and cooperate with the supervisory authorities, as well as to carry out his/her tasks.

The revised Guidelines also recommend a clear allocation of tasks within the DPO team “to prevent conflicts of interests for the team members”.

EU DPO. The Revised Guidelines stress that the DPO should effectively be accessible. To ensure that the DPO is accessible, the Revised Guidelines recommends that the DPO be located within the EU, notwithstanding whether the controller or the processor is established in the EU.

However, the DPO may be located outside the EU (i) in some situations where the controller or the processor has no EU establishment, and if (ii) he/she “may be able to carry out his or her activities more effectively if located outside the EU.”

In order to ensure that data subjects will be able to contact him/her, the DPO, whether internal or external, shall be available. The DPO has to be available either physically on the same premises or via a hotline or other secure means of communication.

Confidential communication. The easy accessibility of the DPO also allows to ensure the confidentiality of communications between the DPO and employees. The Revised Guidelines warns how “employees may be reluctant to complain to the DPO if the confidentiality of their communications is not guaranteed.”

No conflict of interest. The Revised Guidelines also stress how the DPO shall not have any task that might raise a conflict of interest. Considering that the GDPR does not restrict DPOs from carrying out other tasks, the Revised Guidelines provide examples of conflicting positions within the organization.

These may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other positions that would lead to the determination of purposes and means of processing.

In addition, a conflict of interests may also arise for example if an external DPO, that is, for example, a lawyer, is asked to represent the controller or processor before the Courts in cases involving data protection issues.

DPO as a unicorn. In a previous article, we debated the skills that the DPO should possess. We referred to the FAQs listing the necessary organizational, legal and technical skills.

In that article, we also pointed out how the Guidelines and the FAQ differ semantically in another way: the Guidelines uses the word “should” for all the skills (except the organizational ones) while the FAQ no. 7 uses the word “necessary” for all the skills, making the Guidelines seem less compelling than the FAQs.

The Revised Guidelines now align their text to the already apparent compulsiveness of the requirement. They explain that “Although Article 37(5) does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.”

The DPO’s focus on legal skills remains undeniable, and so do also the other tech skills that the officer must possess. In the Revised Guidelines, WP29 didn’t expressly allow any flexibility in the choice of the skills that a DPO must possess. For now, the appointment of a DPO still seem to be close to the search for a unicorn, given that the DPO still needs to be a legal/tech savvy professionals, with some knowledge of the business sector and the organization.

Annexes. In addition, the Revised Guidelines have an annex that briefly summarizes key requirements concerning the DPO under the GDPR.

For a redline comparison of the Guidelines, see here.