The General Regulation on the Protection of Personal Data (the Regulation) determines which controllers have the obligation to appoint a Personal Data Protection Officer (DPO), who can be appointed as a DPO and the possibility of one DPO being appointed to perform this function for several controllers.
In the following, the provision of the regulation on the appointment of OZLP[1] is elaborated, with clarifications and recommendations given in the “Guidelines for personal data protection officers” of RG 29 (Guidelines of RG 29).
Obligation to appoint OZLP have:
- all public authorities and bodies ,[2] except the courts when they act within the framework of judicial competence,[3]
- controllers whose main activities consist of personal data processing operations which, due to their nature, scope and/or purposes, require regular and systematic monitoring of the subjects of personal data to a large extent and
- controllers processing special categories of personal data or data relating to criminal convictions or criminal offences.
The obligation to appoint an OZLP simultaneously applies to both the controller and the data processor.
The regulation does not define what is meant by main activities and by regular and systematic monitoring of the subjects of personal data, nor does it define what is meant by the processing of personal data to a large extent .
In accordance with the Guidelines of RG 29 :
- private companies that exercise public powers or activities of public interest should also be considered as public bodies and bodies ,
- the main activities of the controller are considered to be the key operations necessary to achieve the objectives of the controller, while the main activities cannot be interpreted exclusively as the activities of the controller within which data processing is carried out , but also other activities resulting in the processing of personal data, [4]
- regular and systematic monitoring of personal data subjects includes all forms of monitoring and profiling on the Internet, with the notion of monitoring not limited to the online environment , [5]
- recommendation of WG 29 is to evaluate whether personal data processing is carried out to a large extent or not, taking into account the following factors:
- the number of affected subjects of personal data,
- the volume of data being processed,
- duration of data processing,
- the geographical spread of the processing,
- unless it is obvious that a particular controller has no legal obligation to appoint an OZLP, WG 29 ‘s recommendation is that each controller should carry out an internal analysis of the relevant factors and criteria in order to determine whether or not to appoint an OZLP. A controller who is under no legal obligation to appoint an OZLP may still do so on a voluntary basis. For the controller who has appointed an OZLP on a voluntary basis, the same obligations will apply as for other controllers who have a legal obligation to appoint an OZLP.
The regulation establishes that OZLP can be:
- employee of the controller or
- engaged with the controller on the basis of a service contract.
In accordance with the Guidelines of RG 29 , a contract for the provision of services may be concluded with an individual or with an external company. In the second case, it is essential that the persons offered by that company meet the necessary conditions in order to be able to perform the position of OZLP, but also to be protected from the possibility of their contract being terminated without grounds. Also, on the basis of a contract for the provision of services, instead of the OZLP as an individual, a team of OZLP can be engaged, with the right combination of the individual professional qualifications and personal skills of the team members. In any case, there must be a clear distribution of tasks in the team and it must be managed by one person.
The regulation provides the possibility to appoint one OZLP, in the following cases:
- several companies that function together in a certain type of group can appoint one OZLP, if he is easily available for each of the companies for which he performs this function ;[6]
- several public authorities or bodies to appoint one OZLP, guided by their organizational structure and size. [7]
In accordance with the Guidelines of RG 29 , the availability of the OZLP would imply its availability to the subjects of personal data, to the supervisory authority (DZLP), as well as availability within the controller. Clarification about the availability of OZLP when appointed to multiple controllers, applies to both the public and private sectors.
Obligation to publish contact data with OZLP
The regulation also establishes an obligation for the controller to publish the contact data with OZLP and communicate the same to the supervisory authority.
The goal is to ensure direct contact and communication of the OZLP with the subjects of personal data and with the supervisory authority in an easy way. Telephone number and email address are considered as contact data, and a special contact form can be created on the website of the controller. This provision does not provide that the name of the PWD is included in the contact data.
The recommendation of WG 29 is that the supervisory authority (DZLP) be informed about the name of the OZLP and the contact details of the OZLP, as well as the same to be published on the website of the controller, in the internal telephone directory and the internal organizational chart.
Obligation for secrecy and confidentiality of data
In accordance with the Regulation, the OZLP has an obligation for secrecy and confidentiality of data when performing its tasks , while it is not prohibited to contact and ask for advice from the supervisory authority (DZLP).
[1] Article 37 of the Regulation
[2] Regardless of what data they process and to what extent
[3] The courts have the obligation to appoint an OZLP who will take care of compliance with the regulations for the protection of personal data during the operations of processing personal data outside the framework of judicial competence
[4] Example: The main activity of healthcare facilities is to provide healthcare services and patient care, but these cannot be provided without processing healthcare data.
[5] Example: Provision of services in the field of electronic communications: profiling, location tracking through mobile applications, monitoring of fitness and health data through mobile applications, etc.
[6] In the private sector, two or more smaller companies (with a smaller number of employees or with a smaller amount of data processing operations) that function together in a certain group, may appoint one OZLP. At the same time, he should be hired on the basis of a contract for the provision of services.
[7] In the public sector, two or more public authorities or bodies (with a smaller number of employees or with a smaller quantity of personal data processing operations) that do not have a complex organizational structure, may appoint one OZLP. At the same time, he should be hired on the basis of a contract for the provision of services.