Since the entry into force of the General Data Protection Regulation ('AVG'), data protection officers play a central role in complying with the provisions of the AVG and protecting personal data within organizations. In certain situations, having a data protection officer ('FG') is even mandatory for organizations. Although the concept of the FG is not new and it is common practice in several Member States to appoint an FG, the implementation still sometimes poses problems and ambiguities. In an effort to remove these difficulties and further professionalize the profession, the Personal Data Authority ('AP') has recently published published principles for establishing strong internal supervision. This blog will provide a summary on the positioning of the FG within an organization.
Within an organization, the FG performs the role of advisor, supervisor and information hub.
1. The FG as a consultant:
Within his role as advisor, the FG informs and advises the controller or processor and employees who process about their obligations it follows from the AVG. The AP now clarifies that this means the FG is an internal and independent privacy officer who monitors compliance with the privacy policy drawn up by the organization and advises on its risks.
In specialized cases, the FG can seek (legal) advice from external parties before giving advice to the organization. For this, however, the FG cannot consult the AP.
When new products or services are developed, the FG advises on how processing can be carried out lawfully, properly and transparently. The DPO is not responsible for following up his advice, but he does encourage the organization to become aware of privacy risks that arise. This can only be achieved if the DPO is highly visible within the organization and directly approachable by persons both within the organization and outside it.
2. Following on from the advisory role of the FG is his role as a supervisor:
The FG monitors compliance with the provisions of the AVG and the policies of the controller or processor regarding the protection of personal data.
This includes assigning responsibilities, raising awareness and training of personnel involved in the processing and the audits involved. The FG does this by possibly addressing the highest administrative level of the organization and preparing a report when things go wrong or risks are identified.
When there are significant concerns about intentional non-compliance with the AVG, the FG should be able to report this to the AP.
3. In addition to its role as advisor and supervisor, the FG also acts as an information hub:
Due to the independent position of the FG, according to the AP it is not appropriate for the FG to speak for the organization in legal proceedings. However, this does not always seem to be clear to both organizations and the FG himself, as evidenced by KNLTB fine in which the KLNTB takes the position that the AP erred in not involving the FG in the investigation despite the FG's willingness to cooperate and provide information.
Subsequently, the FG may not perform functions with responsibility for data processing, also to ensure the independence of the FG by excluding a conflict of interest.
Thus, although the FG may not speak on behalf of the organization, the FG may act as a point of contact in regular contact with the AP.
To best perform the above roles, the organization has responsibilities to the FG. The organization must ensure that the FG can hold an independent position within the organization, he has adequate access to the highest administrative level within the organization, and is given sufficient time and resources to perform his task. If this does not happen, the AP can hold the organization accountable. The FG must also be given the opportunity to keep his expertise and skills up to date. However, the FG is expected to take the lead in this himself. In addition to the responsibility to enable the FG to properly perform his duties, it is also the responsibility of the organization to properly inform the FG in a timely manner about contact between the AP and the organization. The organization should establish rules for this purpose so that it does not depend on arbitrariness whether the organization informs the FG.
The principles also clarify the relationship between the AP and FG in various processes. For complaints from data subjects such as citizens, customers or employees about the processing of personal data, the FG serves as the first point of contact. The AP checks whether the FG has overseen the handling of the complaint and includes any input from the FG. If the complaint is addressed directly to the AP, the AP may ask the data subject to still contact the FG or, if appropriate, proceed directly to enforcement without prior contact with the FG. However, the first option is preferred by the AP.
If the AP starts a formal investigation, the AP does not speak with the FG about the content of the investigation from that point on. However, the AP can request the FG's reports and opinions from the organization to include in its assessment of data processing within the organization. This process is related to the FG's role as an information hub and its independent position. Because the FG has no substantive involvement in a formal investigation, the FG cannot later be accused of influencing the AP. Contact about the process of the investigation or other matters is possible, however.
The independent position of the DPO means that the organization cannot simply relieve the DPO of his duties or punish him for doing so. Nevertheless, there are conceivable situations in which it is not desirable that it is not possible to take leave of the current FG, such as when the FG is not functioning properly. However, sanctions are only prohibited when they are imposed as a result of the FG fulfilling his duties as FG. Perhaps there is an opening here for the dismissal of a non-functioning FG. It could be argued that the FG has not fulfilled his obligation of expertise. However, the AP has not yet clarified this and neither does case law currently offer any possibilities for dismissing a poorly functioning FG. Dismissal for reasons other than for performing his duties as FG is therefore possible.
The profession of FGs is becoming increasingly professionalized with the entry into force of the AVG. Still, one must remain vigilant about the position of the FG. Herein rests primarily a responsibility on organizations to properly embed the position of the FG within the organization. An additional responsibility for organizations is to consciously appoint an FG. Taking a course to become an FG may generate sufficient expertise in some situations, in general it is advisable to be vigilant about the expertise of the FG. The independent position of the FG implies that he cannot simply be dismissed, even if he lacks sufficient expertise. As an organization, one would therefore do well to pay attention to this.
This blog was written by Martin Hemmer and Willeke Markesteijn (student intern).
Want to learn more about this topic? Then attend the workshop The Role of the Data Protection Officer on December 7, 2021 during the Knowledge Market Data&Privacyweb.
