Article 37 GDPR: Difference between revisions

← Article 37 - Designation of the data protection officer →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Relevant Recitals

Commentary

Article 37 GDPR reaffirms^[1] the importance of the role of the Data Protection Officer (DPO).^[2] The role of the DPO is especially important for demonstrating compliance with data protection principles, which lies at the heart of the principle of accountability (Articles 5(2) and 24 GDPR).^[3] Paragraph 1 imposes on controllers and processors the obligation to appoint a Data Protection Officer (DPO) under certain conditions. Paragraph 2 provides the possibility of appointing a DPO for the entire group of undertakings, while paragraph 3 establishes a similar rule for public authorities. Paragraph 4 extends the requirement of appointing a DPO beyond the cases specified in paragraph 1, where this is mandated by the legislation of member states. Paragraphs 5 and 6 establish competence requirements for the DPO, obliging them to perform the tasks outlined in Article 39 and allowing the position to be held by individuals already part of the controller's or processor's staff or based on an external contractual arrangement. Finally, paragraph 7 mandates the controller to publish the DPO's contact details and communicate them to the relevant data protection authority.

(1) Obligation to designate a data protection officer

Article 37, Paragraph 1, outlines the cases that mandate the appointment of a Data Protection Officer (DPO). This provision applies to both controllers and processors whose data processing activities entail higher risks compared to other processing operations, necessitating the additional presence of a DPO as a safeguard for data subjects and to facilitate potential interventions by data protection authorities. The DPO plays a crucial role in ensuring compliance with data protection regulations and in proactively addressing data privacy and security concerns within organizations engaged in more sensitive or high-risk data processing activities.

The controller and the processor

Article 37 pertains to the designation of a DPO and applies to both controllers and processors. The obligation to appoint a DPO depends on whether the specific criteria for mandatory designation are met (see below, In any case where). In certain cases, either the controller or the processor alone may be required to appoint a DPO, while in other situations, both the controller and its processor must appoint one and ensure their cooperation. It is essential to note that even if the controller meets the criteria for mandatory DPO designation, its processor may not be obligated to appoint a DPO. Nevertheless, it is considered a best practice for the processor to appoint a DPO voluntarily.^[4]

Example: A small family business active in the distribution of household appliances in a single town uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertising and marketing. The activities of the family business and its customers do not generate processing of data on a ‘large scale’, considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like this small enterprise, taken together, are carrying out large-scale processing. The processor must therefore designate a DPO under Article 37(1)(b). At the same time, the family business itself is not under an obligation to designate a DPO.

Shall designate a DPO

The designation is a typical action carried out by both the controller and the processor. As a result, there is no room for co-decision activities, such as involving potential union representatives within the company. The form of the designation is flexible in the absence of legislative indications. Consequently, at least in theory, the absence of a written form does not render the designation invalid. However, this lack of a formal record creates evident challenges concerning accountability and the ability to demonstrate the fact of the designation (Article 24 GDPR).

The Data Protection Officer (DPO) does not necessarily need to be a new, additional specialist hired by the company or authority. Instead, an existing employee can also fulfill this role, either full-time or part-time, in addition to the possibility of engaging an external service provider. If the underlying employment or service relationship is terminated in accordance with the relevant national law, the basis for the appointment as a DPO also ceases to exist.^[5]

The GDPR does not specifically regulate the employment or service contract with an external DPO under labor or civil service law, including the establishment and termination of this relationship. In particular, the GDPR does not grant protection against dismissal for the employment relationship under labor law. The prohibition of dismissal, as stated in Article 38(3) specifically pertains to the performance of DPO duties and does not extend to unrelated reasons beyond the scope of the DPO's responsibilities.^[6]

In any case where

Article 37(1) GDPR specifies three conditions in which the designation of a DPO is mandatory. First, when processing is carried out by a public authority or body. Second, when the core activities of a controller or processor involve the regular and systematic monitoring of data subjects on a large-scale. Third, when the core activities of a controller or processor involve the processing of Article 9 GDPR or Article 10 GDPR data on a large-scale.

(a) Public authorities and bodies

A DPO is always required when processing is carried out by a public authority or body. The GDPR does not define what constitutes a public authority or body. The Working Party 29, endorsed by the EDPB, states that the notion is to be determined under national law. In this view, public authorities and bodies may include national, regional, and local authorities, but the term may also stretch to include other bodies that are governed by public law. In such case, the designation of a DPO is mandatory.^[7]

However, there are cases where a public task may also be carried out by other natural or legal persons in certain regulated sectors such as public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions. In these cases, data subjects may be in a very similar situation to when their data are processed by a public authority or body. In particular, "data can be processed for similar purposes and individuals often have similarly little or no choice over whether and how their data will be processed and may thus require the additional protection that the designation of a DPO can bring." Here, the designation of a DPO is not mandatory but recommended.^[8]

Finally, Article 37(1)(a) GDPR makes clear that judicial authorities are excluded from the requirement to have a DPO, the reason for this being the principle that the judiciary should be independent from the enforcement provisions of the GDPR.^[9] However, this derogation does not apply in instances where personal data processing is carried out by court administrations when they act as public authorities in a way that is linked to their judicial mandate.^[10]

(b) Regular and systematic monitoring

Article 37(1)(b) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve regular and systematic monitoring of data subjects on a large scale.

Core activities

Article 37(1)(b) GDPR and Article 37(1)(c) GDPR also extends the requirement to appoint a DPO to controllers or processors whose core activities require either the regular and systematic monitoring of data subjects on a large-scale, or involve processing of data under Article 9 GDPR or Article 10 GDPR Recital 97 GDPR clarifies that the core activities of a controller are those relating to “primary activities and do not relate to the processing of personal data as ancillary activities”. The WP29 has clarified that the notion of ‘core activities’ can be considered as “the key operations necessary to achieve the controller’s or processor’s goals”.^[11] However, the ‘core activities’ should not be interpreted in such a way that they exclude processing operations that form an inextricable part of the controller’s or processor’s activities. The example given for this by the WP29 is a hospital which provides healthcare. Here, a hospital would need to process health data in order to be able to effectively provide healthcare. In this instance, the processing of data should be considered to be part of a hospital’s core activities, and therefore the hospital would be obliged to designate a DPO.

Regular and systematic monitoring

This concept of “regular and systematic monitoring” of data subjects is mentioned in Recital 24 GDPR, and includes “all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising”.^[12] Monitoring of data subjects can also take place outside of the context of an online environment. Specifically, the WP29 has interpreted “regular” to mean: "Ongoing or occurring at particular intervals for a particular period; Recurring or repeated at fixed times; Constantly or periodically taking place." And interpreted “systematic” to mean: "Occurring according to a system; Pre-arranged, organized or methodical; Taking place as part of a general plan for data collection; Carried out as part of a strategy. Examples given of regular and systematic processing activities include the operation of a telecommunications network, data-driven marketing, and location tracking, among others."^[13] Recent judgments by Data Protection Authorities in Europe have shown that that fines will be issued for failing to appoint a DPO in instances where one is necessary. For example, on November 10^th 2020 the Spanish Data Protection Authority (AEPD) issued a €50,000 fine against Conseguridad SL for failing to appoint a DPO.^[14] The AEPD held that since Conseguridad SL was processing the personal data of a large number of people through its installation of video surveillance cameras, it was therefore in breach of Article 37(1)(b) GDPR by not having a DPO.^[15]

On a large scale

The term ‘large-scale’ with regards to processing is also not defined in the GDPR. However, Recital 91 GDPR sheds some light on what it may mean, noting that large-scale processing operations might aim to “process a considerable amount of personal data at regional, national, or supranational level” and might “affect a large number of data subjects”. In this regard, the WP29 Guidelines mention four criteria with which the large-scale nature of processing operations can be assessed: (i) the number of data subjects concerned, (ii) the volume and range of data being processed, (iii) the duration or permanence of the processing, and (iv) the geographical extent of the processing activities. Examples given by the WP29 of large-scale processing activities include the regular processing of patient data in hospitals, or the processing of data by telephone or internet service providers. In contrast, the processing of personal data by an individual physician, for example, would not be considered large-scale processing.^[16]

WP29: Examples of large-scale processing include: processing of patient data in the regular course of business by a hospital; processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services; processing of customer data in the regular course of business by an insurance company or a bank; processing of personal data for behavioural advertising by a search engine; processing of data (content, traffic, location) by telephone or internet service providers.^[17]

(c) Special category or data relating to criminal convictions and offences

In a similar fashion to Article 37(1)(b) GDPR, Article 37(1)(c) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve, on a large scale, the processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR. This requirement is evidently related to the importance that there is someone within the controller’s organisational structure that understands the sensitivity of the data that is being processed, and is well versed in what the processing of this kind of data implies. For any common definition, please refer to the above commentary under Article 37(1)(b) GDPR.

(2) Group of undertakings

Article 37(2) GDPR and Article 37(3) GDPR permit the designation of a single DPO for a group of undertakings as long as the DPO is easily accessible from each establishment.

The notion of accessibility refers to the DPO not only serving as a contact point for data subjects and DPAs, but also as a contact point internally for the organisation itself. The latter is evident from Article 39(1) GDPR, which states that one of the tasks of a DPO is to “to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation”. Therefore, it is also important to make sure that the contact details of the DPO are available both externally and internally.^[18]

(3) Multiple public authorities or bodies

Article 37(3) GDPR takes a similar approach, stating that multiple public authorities or bodies may also appoint a single DPO, once their organizational structure and size has been taken into account. If a single DPO is to be appointed for a variety of tasks and across such entities, it is the task of the controller or processor to ensure that the DPO can perform their activities efficiently. In other words, their acting in capacity for multiple entities must not hinder the effective execution of their tasks. To ensure that a DPO is effective, the WP29 recommends that they be located within the European Union, regardless of whether the controller or processor themselves is also established in the Union.^[19]

(4) Other circumstances in which to designate a data protection officer

Article 37(4) GDPR stipulates that in instances other than those referred to in Article 37(1) GDPR, it may still be recommended or required by Member State law that a controller or processor, or groups of such, designate a DPO. This DPO may then act for such associations or other bodies representing controllers or processors. For instance, a DPO in this context could be useful in advising the groups of controllers or processors on frequently encountered issues, and could also serve as a communication channel between the represented controllers and processors, and the competent DPAs.^[20]

(5) Expertise and skills of the DPO

Article 37(5) GDPR specifies that the DPO shall be designated on the basis of their professional qualities and expert knowledge of data protection law. In particular, this provision makes reference to Article 39 GDPR, which details the DPO’s tasks. These include, but are not limited to, tasks such as informing and advising the controller and processor of their obligations under the GDPR; monitoring compliance with the GDPR and assisting in assigning responsibilities and training staff involved in processing operations; providing assistance with Data Protection Impact Assessments (DPIAs) where needed and monitoring compliance with them; and finally, cooperating with the DPA and acting as a channel of communication.

Recital 97 GDPR also states that the necessary level of expert knowledge that the DPO should have should be determined according to what processing operations are being carried out, and what level of protection is necessary for the data that is being processed. The more complex the processing activities are, and the more measures of protection are needed, the more ‘knowledgeable’ the DPO will have to be. However, as Article 39 GDPR clearly establishes, a DPO will need to know their way around the GDPR well enough in order to be able to effectively carry out the tasks required of them. Although Article 37(5) GDPR does not specify the specific qualifications that a DPO must have, knowledge of the business sector, along with an understanding of the controller and their tasks, will be an asset.

(6) DPO on the basis of a service contract

Article 37(6) GDPR allows a designated DPO to be either a controller or processor’s staff member, or to alternatively be appointed on the basis of a service contract. This provision can be interpreted as providing added flexibility to the controller or processor in deciding how to best employ a DPO for their organisation. Importantly, it also does not require that the DPO be an entirely impartial body who is not associated with the controller or processor, much like an independent auditor might be. However, it is essential that the DPO fulfils the applicable requirements of Section 4 of the GDPR – for instance, that they have no conflict of interests.

(7) Contact details of the DPO

Finally, Article 37(7) GDPR requires that the controller or processor publish the contact details of the DPO, and communicate these to the relevant DPA. One can interpret that this provision’s objective is the facilitation of communication and transparency between the data subject or DPA and the DPO. It is important to note, however, that this provision does not require that the name of the DPO be published; in other words, contact details may include the contact email address, but do not have to necessarily result in the publication of any personal data.

Decisions

→ You can find all related decisions in Category:Article 37 GDPR

References