Article 37 GDPR
Legal Text
1. The controller and the processor shall designate a data protection officer in any case where:
- (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Relevant Recitals
Commentary
Article 37 GDPR reaffirms[1] the importance of the role of the Data Protection Officer (DPO).[2] The role of the DPO is especially important for demonstrating compliance with data protection principles, which lies at the heart of the principle of accountability (Articles 5(2) and 24 GDPR).[3] Paragraph 1 imposes on controllers and processors the obligation to appoint a Data Protection Officer (DPO) under certain conditions. Paragraph 2 provides for the possibility of appointing a DPO for the entire group of undertakings, while paragraph 3 establishes a similar rule for public authorities. Paragraph 4 extends the requirement of appointing a DPO beyond the cases specified in paragraph 1, where this is mandated by the legislation of member states. Paragraphs 5 and 6 establish competence requirements for the DPO, obliging them to perform the tasks outlined in Article 39 and allowing the position to be held either by individuals already part of the controller's or processor's staff or external subjects on the basis of a contractual arrangement. Finally, paragraph 7 mandates the controller to publish the DPO's contact details and communicate them to the relevant data protection authority.
(1) Obligation to designate a data protection officer
Article 37, Paragraph 1, outlines the cases that mandate the appointment of a Data Protection Officer (DPO). This provision applies to both controllers and processors whose data processing activities entail higher risks compared to other processing operations, necessitating the additional presence of a DPO as a safeguard for data subjects and to facilitate potential interventions by data protection authorities. The DPO plays a crucial role in ensuring compliance with data protection regulations and in proactively addressing data privacy and security concerns within organizations engaged in more sensitive or high-risk data processing activities.
The controller and the processor
Article 37 concerns the designation of a DPO and applies to both controllers and processors. The obligation to appoint a DPO depends on whether the specific criteria for mandatory designation are met (see below, In any case where). In certain cases, either the controller or the processor alone may be required to appoint a DPO, while in other situations, both the controller and its processor must appoint one and ensure their cooperation. It is essential to note that even if the controller meets the criteria for mandatory DPO designation, its processor may not be obligated to appoint a DPO. Nevertheless, it is considered a best practice for the processor to appoint a DPO voluntarily.[4]
Example: A small family business active in the distribution of household appliances in a single town uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertising and marketing. The activities of the family business and its customers do not generate processing of data on a ‘large scale’, considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like this small enterprise, taken together, are carrying out large-scale processing. The processor must therefore designate a DPO under Article 37(1)(b). At the same time, the family business itself is not under an obligation to designate a DPO.
Shall designate a DPO
The designation is a typical action carried out by both the controller and the processor. As a result, there is no room for co-decision activities, such as involving potential union representatives within the company. The form of the designation is flexible in the absence of legislative indications. Consequently, at least in theory, the absence of a written form does not render the designation invalid. However, this lack of a formal record creates evident challenges concerning accountability and the ability to demonstrate compliance (Article 24 GDPR).
The Data Protection Officer (DPO) does not necessarily need to be a new, additional specialist hired by the company or authority. Instead, an existing employee can also fulfill this role, either full-time or part-time, as an alternative or in addition to the possibility of engaging an external service provider. If the underlying employment or service relationship is terminated in accordance with the relevant national law, the basis for the appointment as a DPO also ceases to exist.[5]
The GDPR does not specifically regulate the employment or service contract with an external DPO under labor or civil service law, including the establishment and termination of this relationship. In particular, the GDPR does not grant protection against dismissal for the employment relationship under labor law. The prohibition of dismissal, as stated in Article 38(3) specifically pertains to the performance of DPO duties and does not extend to unrelated reasons beyond the scope of the DPO's responsibilities.[6]
In any case where
Article 37(1) GDPR specifies three conditions in which the designation of a DPO is mandatory. First, when processing is carried out by a public authority or body. Second, when the core activities of a controller or processor involve the regular and systematic monitoring of data subjects on a large-scale. Third, when the core activities of a controller or processor involve the processing of Article 9 GDPR or Article 10 GDPR data on a large-scale.
(a) Public authorities and bodies
A DPO is always required when processing is carried out by a public authority or body. The GDPR does not define what constitutes a public authority or body. The Working Party 29, endorsed by the EDPB, states that the notion is to be determined under national law. In this view, public authorities and bodies may include national, regional, and local authorities, but the term may also stretch to include other bodies that are governed by public law. In such case, the designation of a DPO is mandatory.[7]
However, there are cases where a public task may also be carried out by other natural or legal persons in certain regulated sectors such as public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions. In these cases, data subjects may be in a very similar situation to when their data are processed by a public authority or body. In particular, "data can be processed for similar purposes and individuals often have similarly little or no choice over whether and how their data will be processed and may thus require the additional protection that the designation of a DPO can bring." Here, the designation of a DPO is not mandatory but recommended.[8]
Finally, Article 37(1)(a) GDPR makes clear that judicial authorities are excluded from the requirement to have a DPO, the reason for this being the principle that the judiciary should be independent from the enforcement provisions of the GDPR.[9] However, this derogation does not apply in instances where personal data processing is carried out by court administrations when they act as public authorities in a way that is linked to their judicial mandate.[10]
(b) Regular and systematic monitoring
Article 37(1)(b) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve regular and systematic monitoring of data subjects on a large scale.
Core activities
Article 37(1)(b) GDPR and Article 37(1)(c) GDPR also extends the requirement to appoint a DPO to controllers or processors whose core activities require either the regular and systematic monitoring of data subjects on a large-scale, or involve processing of data under Article 9 GDPR or Article 10 GDPR Recital 97 GDPR clarifies that the core activities of a controller are those relating to “primary activities and do not relate to the processing of personal data as ancillary activities”. The WP29 has clarified that the notion of ‘core activities’ can be considered as “the key operations necessary to achieve the controller’s or processor’s goals”.[11] However, the ‘core activities’ should not be interpreted in such a way that they exclude processing operations that form an inextricable part of the controller’s or processor’s activities. The example given for this by the WP29 is a hospital which provides healthcare. Here, a hospital would need to process health data in order to be able to effectively provide healthcare. In this instance, the processing of data should be considered to be part of a hospital’s core activities, and therefore the hospital would be obliged to designate a DPO.
Regular and systematic monitoring
This concept of “regular and systematic monitoring” of data subjects is mentioned in Recital 24 GDPR, and includes “all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising”.[12] Monitoring of data subjects can also take place outside of the context of an online environment. Specifically, the WP29 has interpreted “regular” to mean: "Ongoing or occurring at particular intervals for a particular period; Recurring or repeated at fixed times; Constantly or periodically taking place." And interpreted “systematic” to mean: "Occurring according to a system; Pre-arranged, organized or methodical; Taking place as part of a general plan for data collection; Carried out as part of a strategy. Examples given of regular and systematic processing activities include the operation of a telecommunications network, data-driven marketing, and location tracking, among others."[13] Recent judgments by Data Protection Authorities in Europe have shown that that fines will be issued for failing to appoint a DPO in instances where one is necessary. For example, on November 10th 2020 the Spanish Data Protection Authority (AEPD) issued a €50,000 fine against Conseguridad SL for failing to appoint a DPO.[14] The AEPD held that since Conseguridad SL was processing the personal data of a large number of people through its installation of video surveillance cameras, it was therefore in breach of Article 37(1)(b) GDPR by not having a DPO.[15]
On a large scale
The term ‘large-scale’ with regards to processing is also not defined in the GDPR. However, Recital 91 GDPR sheds some light on what it may mean, noting that large-scale processing operations might aim to “process a considerable amount of personal data at regional, national, or supranational level” and might “affect a large number of data subjects”. In this regard, the WP29 Guidelines mention four criteria with which the large-scale nature of processing operations can be assessed: (i) the number of data subjects concerned, (ii) the volume and range of data being processed, (iii) the duration or permanence of the processing, and (iv) the geographical extent of the processing activities. Examples given by the WP29 of large-scale processing activities include the regular processing of patient data in hospitals, or the processing of data by telephone or internet service providers. In contrast, the processing of personal data by an individual physician, for example, would not be considered large-scale processing.[16]
WP29: Examples of large-scale processing include: processing of patient data in the regular course of business by a hospital; processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services; processing of customer data in the regular course of business by an insurance company or a bank; processing of personal data for behavioural advertising by a search engine; processing of data (content, traffic, location) by telephone or internet service providers.[17]
(c) Special category or data relating to criminal convictions and offences
In a similar fashion to Article 37(1)(b) GDPR, Article 37(1)(c) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve, on a large scale, the processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR. This requirement is evidently related to the importance that there is someone within the controller’s organisational structure that understands the sensitivity of the data that is being processed, and is well versed in what the processing of this kind of data implies. For any common definition, please refer to the above commentary under Article 37(1)(b) GDPR.
(2) Group of undertakings
Article 37(2) GDPR allows for the designation of a single DPO for a group of undertakings as long as the DPO is easily accessible from each establishment. The notion of accessibility refers to the DPO serving as a contact point for data subjects, DPAs and internally for the organisation itself.[18] The DPO must be, first and foremost, reachable. The contact details of the DPO must therefore be available both externally and internally. However, mere reachability alone is not sufficient. Stakeholders must also have the ability to physically access the DPO or one of the members of their team. The law indeed refers to a DPO as "easily accessible from each establishment", emphasizing the spatial aspect and the need of physical proximity between the DPO and other stakeholders.[19] To be "accessible" also implies that any communication should occur in the language(s) utilized by the supervisory authorities, the affected data subjects and controller or processor's staff.[20] The DPO must act as a primary point of contact. While the language proficiency of the DPO's employees can provide some support, it cannot fully replace the language competence of the DPO. This is because the DPO must have the ability to grasp the overall situation and possess at least a basic understanding of all relevant national laws, including a basic knowledge of the respective languages.[21]
(3) Multiple public authorities or bodies
Article 37(3) GDPR takes a similar approach to the preceding paragraph 2, stating that multiple public authorities or bodies may appoint a single DPO, once their organizational structure and size has been taken into account. If a single DPO is to be appointed for a variety of tasks and across such entities, it is the task of the controller or processor to ensure that the DPO can perform their activities efficiently. In other words, their acting in capacity for multiple entities must not hinder the effective execution of their tasks. To ensure that a DPO is effective, the WP29 recommends that they be located within the European Union, regardless of whether the controller or processor themselves is also established in the Union.[22]
(4) Other circumstances in which to designate a data protection officer
Article 37(4) GDPR stipulates that in instances other than those referred to in Article 37(1) GDPR, it may still be recommended or required by Member State law that a controller or processor, or groups of such, designate a DPO. This DPO may then act for such associations or other bodies representing controllers or processors. For instance, a DPO in this context could be useful in advising the groups of controllers or processors on frequently encountered issues, and could also serve as a communication channel between the represented controllers and processors, and the competent DPAs.[23]
(5) Expertise and skills of the DPO
Article 37(5) GDPR specifies that the DPO shall be designated on the basis of their professional qualities and in particular expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39 GDPR.
Professional qualities
While Article 37(5) does not explicitly outline the specific professional qualifications for appointing the DPO, it is crucial that DPOs possess expertise in both national and European data protection laws, as well as a comprehensive understanding of the GDPR, knowledge of the business sector, along with an understanding of the controller and their tasks. Additionally, promoting adequate and regular training for DPOs by supervisory authorities is beneficial. Furthermore, having knowledge of the business sector and the organization's structure is valuable. The DPO should also demonstrate a thorough comprehension of the processing activities conducted, information systems, and the controller's data security and data protection requirements. In the context of a public authority or body, the DPO should also possess a sound understanding of the organization's administrative rules and procedures.[24]
Expert knowledge
The required level of expertise is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes. Recital 97 GDPR states that the necessary level of expert knowledge that the DPO should have should be determined according to what processing operations are being carried out, and what level of protection is necessary for the data that is being processed. The more complex the processing activities are, and the more measures of protection are needed, the more ‘knowledgeable’ the DPO will have to be.
WP29: For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. There is also a difference depending on whether the organisation systematically transfers personal data outside the European Union or whether such transfers are occasional. The DPO should thus be chosen carefully, with due regard to the data protection issues that arise within the organisation.[25]
Ability to fulfil its tasks
The data protection officer shall be designated on the basis of, among the others, the ability to fulfil the tasks referred to in Article 39. These include, but are not limited to, tasks such as informing and advising the controller and processor of their obligations under the GDPR; monitoring compliance with the GDPR and assisting in assigning responsibilities and training staff involved in processing operations; providing assistance with Data Protection Impact Assessments (DPIAs) where needed and monitoring compliance with them; and finally, cooperating with the DPA and acting as a channel of communication. The WP29 recalls that the ability to fulfill the responsibilities entrusted to the DPO should be understood to encompass both their personal qualities and knowledge, as well as their position within the organization.[26]
Case-law: For example, the Luxembourg DPA fined a logistics company €15,000 for failing to ensure that its DPO could exercise its tasks as outlined in Articles 39(1)(b) GDPR, inter alia because the DPO was not invited to all relevant meetings, and did not report directly to the highest level of management.[27]
Personal qualities should encompass attributes such as integrity and a strong commitment to professional ethics. The character and track record of a person designated as a data protection officer play a crucial role in their suitability for the role. Past breaches of confidentiality obligations, a known history of careless work, issues with alcohol or drug use, or relevant criminal convictions such as embezzlement or bribery are significant factors that need to be considered. Personal reliability can be seen as part of the broader requirement that the data protection officer is capable of effectively carrying out their responsibilities. Moreover, the data protection officer's character traits are also important, ranging from the ability to collaborate constructively to the willingness to address data protection violations with management when necessary.[28]
(6) DPO on the basis of a service contract
Article 37(6) GDPR allows a designated DPO to be either a controller or processor’s staff member, or to alternatively be appointed on the basis of a service contract. This provision can be interpreted as providing added flexibility to the controller or processor in deciding how to best employ a DPO for their organisation. Importantly, it also does not require that the DPO be an entirely impartial body who is not associated with the controller or processor, much like an independent auditor might be. However, it is essential that the DPO fulfils the applicable requirements of Section 4 of the GDPR – for instance, that they have no conflict of interests.
(7) Contact details of the DPO
Finally, Article 37(7) GDPR requires that the controller or processor publish the contact details of the DPO, and communicate these to the relevant DPA. This provision has led to some misunderstandings regarding the interpretation of the term "contact details." A trend has emerged, especially among larger controllers, where they refrain from providing direct contact information for their DPO and instead attempt to implement communication systems based on online forms. However, this approach is not in compliance with the GDPR's requirements.
First, the literal meaning of the provision. The expression 'contact details' refers to a content (e.g. the DPO's email address, or a telephone number). The online form provided by the controller does not fulfil this requirement because the online form is not a 'contact detail' but just a 'contact mode'. The WP29 resolved this issue in unequivocal terms: "The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation's website”.[29] Hence, the use of alternative forms, although not excluded by the GDPR, is not sufficient to fulfil the legal obligation if the contact details of the DPO are not provided in the first place. The contact form may, however, be provided in addition to the contact details.
Case-law: The Italian Data Protection Authority confirmed this interpretation, arguing that “while the preparation of a form may, in general terms, constitute an organisational method designed to facilitate the submission of applications, it is not, however, in accordance with the rules in force on the protection of personal data to make the commencement of the procedure for the exercise of the right conditional on the prior submission of the completed form”.[30] The same DPA also fined a municipality €20,000 for, inter alia, failing to provide direct contact information of their DPO in violation of Article 37(7) GDPR.[31]
Secondly, as stated in the DPO guidelines cited above, the DPO's role is to ensure an easily accessible point of contact, especially where there is a reason for urgency. It must be noted here that Articles 33(3)(b) and 34(2) GDPR on post-data breach communications both require the controller to include the DPO's 'contact details', i.e. exactly the same wording used in Article 13(1)(b) GDPR. If one were to follow Apple's suggested reading, after the breach, the controller could simply provide a contact form to both the DPA and the data subject. This would lead to unacceptable results. The DPA's supervisory requirements would not tolerate such an imposition. The same is to be said for the data subject. Imagine the case of a user who has lost control of his account as a result of the breach. An online form, accessible through authentication, could conceivably be inaccessible, preventing the data subject from acting promptly to protect their interests.
Decisions
→ You can find all related decisions in Category:Article 37 GDPR
References
- ↑ The notion of appointing a DPO has its roots in Article 18(2) of the Data Protection Directive 1995 (Directive 95/46/EC) (DPD). However, although the DPD spoke about the designation of a DPO, it did not make this mandatory. With the GDPR’s introduction of the requirement to appoint a DPO in certain instances, the importance of the role embodied by the DPO can be said to have become pivotal.
- ↑ Indeed, the importance of appointing a DPO was confirmed by the European Data Protection Supervisor when they stated that “the Data Protection Officer is fundamental in insuring the respect of data protection principles within institutions/bodies”. EDPS, ‘Position Paper on the Role of Data Protection Officers in Ensuring Effective Compliance with Regulation (EC) 45/2001’, 28 November 2005, p. 3 (available here).
- ↑ EDPS, ‘Position paper on the role of Data Protection Officers of the EU institutions and bodies’, 30 September 2018, p. 14 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 9 (available here).
- ↑ Similarly, the grounds for dismissal of the basic relationship are determined by the labor, contract, or civil service law of the respective Member State. See, Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 37 GDPR, margin number 14 (C.H.Beck 2018, 2nd Edition 2018).
- ↑ Heberlein, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 37 GDPR, margin number 14 (C.H.Beck 2018, 2nd Edition 2018).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 6 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 6 (available here). The WP29 also rightfully points out that "Such a DPO’s activity covers all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database)."
- ↑ Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).
- ↑ Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).
- ↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 8 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 9 (available here).
- ↑ Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).
- ↑ Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).
- ↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 8 (available here).
- ↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 8 (available here).
- ↑ The latter is evident from Article 39(1) GDPR, which states that one of the tasks of a DPO is to “to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation”.
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 37 GDPR, margin number 28 (C.H. Beck 2020, 3rd edition).
- ↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 10 (available here).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 37 GDPR, margin number 29 (C.H. Beck 2020, 3rd edition).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 11 (available here).
- ↑ Alvarez Rigaudias, Spinas, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 37 GDPR, p. 695 (Oxford University Press 2020).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 11 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 11 (available here).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 12 (available here).
- ↑ CNPD (Luxembourg) - Délibération n° 20FR/2021 (available here).
- ↑ Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 37 GDPR, margin number 35 (C.H. Beck 2020, 3rd edition).
- ↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 12 (available here).
- ↑ Garante per la protezione dei dati personali (Italy) - 9795350 (available here).
- ↑ Garante per la protezione dei dati personali (Italy) - 9773950 (available here).