Article 37 GDPR

From GDPRhub
Article 37 - Designation of the data protection officer
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 37 - Designation of the data protection officer


1. The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Relevant Recitals

Recital 97

Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large-scale, or where the core activities of the controller or the processor consist of processing on a large-scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Commentary

Commentary

Overview

Article 37 reaffirms the importance of the role of the Data Protection Officer (DPO). Indeed, the importance of appointing a DPO was confirmed by the European Data Protection Supervisor when they stated that “the Data Protection Officer is fundamental in insuring the respect of data protection principles within institutions/bodies”[1]. The notion of appointing a DPO has its roots in Article 18(2) of the Data Protection Directive 1995 (Directive 95/46/EC) (DPD). However, although the DPD spoke about the designation of a DPO, it did not make this mandatory. With the introduction of the requirement to appoint a DPO in certain instances in the GDPR, the importance of the role embodied by the DPO can be said to have become pivotal. The role of the DPO is especially important for demonstrating compliance with data protection principles, which lays at the heart of the principle of accountability[2].

Obligation to designate a Data Protection Officer

Article 37(1) specifies three conditions in which the appointment of a DPO is mandatory. First, when processing is carried out by a public authority or body. Second, when the core activities of a controller or processor involve the regular and systematic monitoring of data subjects on a large-scale. Third, when the core activities of a controller or processor involve the processing of Article 9 or Article 10 data on a large-scale.

Public authorities and bodies

The GDPR does not define what constitutes a public authority or body, however, the Article 29 Working Party (WP29) has stated that this is considered to be something that falls within the purview of national law[3]. Though public authorities and bodies may include national, regional, and local authorities, the term may also stretch to include other bodies that are governed by public law. In such instances, the designation of a DPO is obligatory[4]. Even in the instances where a natural or legal person exercises a public task, there is the need to designate a DPO. The WP29 also recommends that in instances where private organizations carry out public tasks, they also designate a DPO.

Article 37(1)(a) makes clear that judicial authorities are excluded from the requirement to have a DPO, the reason for this being the principle that the judiciary should be independent from the enforcement provisions of the GDPR[5]. However, this derogation does not apply in instances where personal data processing is carried out by court administrations when they act as public authorities in a way that is linked to their judicial mandate[6].

Defining “core activities”

Article 37(1)(b) and Article 37(1)(c) also extend the requirement to appoint a DPO to controllers or processors whose core activities require either the regular and systematic monitoring of data subjects on a large-scale, or involve processing of Article 9 or 10 data. Recital 97 clarifies that the core activities of a controller are those relating to “primary activities and do not relate to the processing of personal data as ancillary activities”. In other words, the data processing needs to be a primary goal of the controller or processor, and not simply a periphery one.

The WP29 has clarified that the notion of ‘core activities’ can be considered as “the key operations necessary to achieve the controller’s or processor’s goals”[7]. However, the ‘core activities’ should not be interpreted in such a way that they exclude processing operations that form an inextricable part of the controller’s or processor’s activities. The example given for this by the WP29 is a hospital which provides healthcare. Here, a hospital would need to process health data in order to be able to effectively provide healthcare. In this instance, the processing of data should be considered to be part of a hospital’s core activities, and therefore the hospital would be under the obligation to designate a DPO.

Defining “large-scale”

The term ‘large-scale’ with regards to processing is also not defined in the GDPR. However, Recital 91 sheds some light on what it may mean, noting that large-scale processing operations might aim to “process a considerable amount of personal data at regional, national, or supranational level” and might “affect a large number of data subjects”. In this regard, the WP29 Guidelines mention four criteria with which the large-scale nature of processing operations can be assessed: (1) the number of data subjects concerned, (2) the volume and range of data being processed, (3) the duration or permanence of the processing, and (4) the geographical extent of the processing activities[8]. Examples given by the WP29 of large-scale processing activities include the regular processing of patient data in hospitals, or the processing of data by telephone or internet service providers. In contrast, the processing of personal data by an individual physician, for example, would not be considered large-scale processing.

Article 37(1)(b): “regular and systematic monitoring”

Article 37(1)(b) imposes the obligation of appointing a DPO on controllers or processors whose core activities involve regular and systematic monitoring of data subjects on a large scale. This concept of “regular and systematic monitoring” of data subjects is mentioned in Recital 24, and includes “all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising”[9]. Monitoring of data subjects can also take place outside of the context of an online environment. Specifically, the WP29 has interpreted “regular” to mean:

·        Ongoing or occurring at particular intervals for a particular period

·        Recurring or repeated at fixed times

·        Constantly or periodically taking place

And interpreted “systematic” to mean:

·        Occurring according to a system

·        Pre-arranged, organized or methodical

·        Taking place as part of a general plan for data collection

·        Carried out as part of a strategy

Examples given of regular and systematic processing activities include the operation of a telecommunications network, data-driven marketing, and location tracking, among others[10].

Recent judgments by Data Protection Authorities in Europe have shown that that fines will be issued for failing to appoint a DPO in instances where one is necessary. For example, on November 10th 2020 the Spanish Data Protection Authority (AEPD) issued a €50,000 fine against Conseguridad SL for failing to appoint a DPO[11]. The AEPD held that since Conseguridad SL was processing the personal data of a large number of people through its installation of video surveillance cameras, it was therefore in breach of Article 37(1)(b) by not having a DPO[12].

Article 37(1)(c) “special category or data relating to criminal convictions and offences”

In a similar fashion to Article 37(1)(b), Article 37(1)(c) imposes the obligation of appointing a DPO on controllers or processors whose core activities involve, on a large scale, the processing of special category data under Article 9 or data relating to criminal convictions and offences under Article 10. It can be inferred that the reason behind this requirement is the sensitive nature of the data which falls under Article 9 or 10.

Data Protection Officers of group undertakings or multiple public authorities or bodies

Article 37(2) and Article 37(3) permit the designation of a single DPO for a cluster of undertakings or several public authorities or bodies. Article 37(2) states that a single DPO can be appointed for multiple undertakings, as long as the DPO is easily accessible from each establishment. The 29WP has clarified that this notion of accessibility refers both to the DPO serving as a contact point for data subjects and supervisory authorities, but also as a contact point internally for the organization[13]. The latter is evident from Article 39(1), which states that one of the tasks of a DPO is to “to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation”. Therefore, it is also important to make sure that the contact details of the DPO are available.

Article 37(3) takes a similar approach, stating that multiple public authorities or bodies may also appoint a single DPO, once their organizational structure and size has been taken into account. If a single DPO is to be appointed for a variety of tasks and across such entities, it is the task of the controller or processor to ensure that the DPO can perform their activities efficiently. In other words, their acting in capacity for multiple entities must not hinder the effective execution of their tasks. To ensure that a DPO is effective, the WP29 recommends that they be located within the European Union, regardless of whether the controller or processor themselves is also established in the Union[14].

Other circumstances in which to designate a Data Protection Officer

Article 37(4) stipulates that in instances other than those referred to in Article 37(1), it may still be recommended or required by Member State law that a controller or processor, or groups of such, designate a DPO. This DPO may then act for such associations or other bodies representing controllers or processors. For instance, a DPO in this context could be useful in advising the groups of controllers or processors on frequently encountered issues, and could also serve as a communication channel between the represented controllers and processors, and the competent supervisory authorities[15].

Expertise and skill of the DPO

Article 37(5) specifies that the DPO shall be designated on the basis of their professional qualities and expert knowledge of data protection law. In particular, Article 37(5) makes reference to Article 39, which details the tasks of the DPO. These include tasks such as but not limited to:

·        Informing and advising the controller and professor of their obligations under the GDPR

·        Monitoring compliance with the GDPR and assisting in assigning responsibilities and training staff involved in processing operations

·        Providing assistance with data protection impact assessments where needed and monitoring compliance with them

·        Cooperating with the supervisory authority and acting as a channel of communication

Recital 97 also states that the necessary level of expert knowledge that the DPO should have should be determined with reference to what processing operations are being carried out, and what level of protection is necessary for the data that is being processed. In this is implicit the assumption that the more complex the processing activities and the more measures of protection needed, the more ‘knowledgeable’ the DPO will have to be. However, as Article 39 does make it clear, a DPO will need to know their way around the GDPR well enough in order to be able to effectively carry out the tasks required of them. Although Article 37(5) does not specify qualifications that a DPO must have, knowledge of the business sector, along with an understanding of the controller and their tasks, will be an asset.

DPO on the basis of a service contract

Article 37(6) permits the DPO appointed to be a staff member of the controller or processor, or alternatively allows for the DPO to be appointed on the basis of a service contract. This provision can be interpreted as providing added flexibility to the controller or processor in deciding how to best employ a DPO for their organisation. Importantly, it also does not require that the DPO be an entirely impartial body who is not associated with the controller or processor, much like an independent auditor might be.

However, it is essential that the DPO fulfills the applicable requirements of Section 4 of the GDPR – for instance, that they have no conflict of interests.

Contact details of the DPO

Finally, Article 37(7) requires that the controller or processor publish the contact details of the DPO and communicate these to the relevant supervisory authority. One can interpret the objective of this to be the facilitation of communication and transparency between the data subject or supervisory authority and the DPO. It is important to note, however, that Article 37(7) does not require that the name of the DPO be published; in other words, contact details may include the contact email address, but does not have to necessarily result in the publication of nay personal data.


[1] EDPS 2005: European Data Protection Supervisor, “Position Paper on the Role of Data Protection Officers in Ensuring Effective Compliance with Regulation (EC) 45/2001”, November 28th 2005.

[2] EDPS 2018: European Data Protection Supervisor, “Position paper on the role of Data Protection Officers of the EU institutions and bodies”, September 30th 2018.

[3] WP29: Article 29 Working Party, “Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, as last revised and adopted on April 5th 2017.

[4] Ibid.

[5] Kuner, Bygrave, Dockey, “The EU General Data Protection Regulation (GDPR); A Commentary”, Oxford University Press 2020, pg. 692.

[6] Ibid.

[7] WP29 (n.3) pg. 7.

[8] WP29 (n.3) pg. 8.

[9] Ibid.

[10] WP29 (n.3) pg. 9.

[11] Agencia Española de Protección de Datos, Procedimiento Nº: PS/00251/2020.

[12] Ibid.

[13] WP29 (n.3) pg. 10.

[14] WP29 (n.3) pg. 11.

[15] Kuner, (n.5) pg. 695.

Decisions

→ You can find all related decisions in Category:Article 37 GDPR

References