Assuming your business activities fall within the territorial scope of the GDPR, you may be required to designate a Data Protection Officer (DPO). A DPO may be an employee or designated outside service provider who has expert knowledge of data protection law and practices. The DPO’s job is to inform and advise the company of their obligations pursuant to the GDPR and other EU (and member state) data protection laws, monitor compliance with law and with the internal policies of the organization including assigning responsibilities and training staff, advise and monitor data protection impact assessments, and cooperate and act as point of contact with the supervisory authority.
The GDPR mandates that private-sector businesses designate a DPO if their core activities consist of:
- Processing operations which, by virtue of their nature, scope and/or purposes require regular and systematic monitoring of data subjects on a large scale; or
- Processing on a large scale of special categories of data and data relating to criminal convictions and offenses.
The Article 29 Working Party has issued Guidelines on DPOs (“Guidelines”) that better explain these requirements.
According to the Guidelines, “core activities” can be considered as the key operations necessary to achieve the businesses’ goals. However, “core activities” should not be interpreted as excluding activities where the processing of data forms an inextricable part of the organization’s activity. Examples given include hospitals that must process private health data in order to give medical care and private security companies that process personal data as part of their surveillance duties.
The Guidelines recommend considering the following factors to determine whether your data monitoring or processing occurs on a “large scale”:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence, of the data processing activity; and
- The geographical extent of the processing activity
Examples of “large scale” activities include processing of real time geo-location data of customers of an international fast food chain for statistical purposes, and processing of personal data for behavioral advertising by an Internet search engine. An individual physician who processes patient data or a law firm that processes personal data about criminal convictions would not constitute large scale processing.
Regular and Systematic Monitoring
The Guidelines interpret “regular” as one or more of the following:
- Ongoing or occurring at particular intervals for a particular period;
- Recurring or repeated at fixed times; and
- Constantly or periodically taking place
“Systematic” is interpreted to mean one or more of the following:
- Occurring according to a system;
- Pre-arranged, organized or methodical;
- Taking place as part of a general plan for data collection; and
- Carried out as part of a strategy
Examples of “regular and systematic monitoring” include location tracking by mobile apps, behavioral advertising, closed circuit television, and connected devices (the Internet of things).
Special Categories of Personal Data
Although the second category of activities that require appointment of a DPO refers to the large scale processing of “special categories of data and data relating to criminal convictions,” the Guidelines state it should be read as “or.” This means that organizations that process special categories of data having nothing to do with criminal convictions are still required to designate a DPO if it processes that data on a large scale. The special categories of personal data are defined in GDPR Article 9 as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, . . . genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
If your organization engages in regular and systematic monitoring of data subjects or processes sensitive data, you need to assess whether those processing activities are “core” or primary activities of the business and, if so, whether the monitoring and/or processing is done on a large scale.