Article 37 GDPR

← Article 37 - Designation of the data protection officer →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 37 - Designation of the data protection officer

1. The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Relevant Recitals

Recital 97: Data Protection Officer

Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Commentary

Article 37 GDPR reaffirms the importance of the role of the Data Protection Officer (DPO). Indeed, the importance of appointing a DPO was confirmed by the European Data Protection Supervisor when they stated that “the Data Protection Officer is fundamental in insuring the respect of data protection principles within institutions/bodies”.^[1] The notion of appointing a DPO has its roots in Article 18(2) of the Data Protection Directive 1995 (Directive 95/46/EC) (DPD). However, although the DPD spoke about the designation of a DPO, it did not make this mandatory. With the GDPR’s introduction of the requirement to appoint a DPO in certain instances, the importance of the role embodied by the DPO can be said to have become pivotal. The role of the DPO is especially important for demonstrating compliance with data protection principles, which lies at the heart of the principle of accountability (Articles 5(2) and 24 GDPR).^[2]

EDPB Guidelines: on this Article, please see Data Protection Officer - WP29

(1) Obligation to Designate a Data Protection Officer

Article 37(1) GDPR specifies three conditions in which the appointment of a DPO is mandatory. First, when processing is carried out by a public authority or body. Second, when the core activities of a controller or processor involve the regular and systematic monitoring of data subjects on a large-scale. Third, when the core activities of a controller or processor involve the processing of Article 9 GDPR or Article 10 GDPR data on a large-scale.

(a) Public Authorities and Bodies

The GDPR does not define what constitutes a public authority or body, however, the Article 29 Working Party (WP29) has stated that this is considered to be something that falls within the purview of national law.^[3] Though public authorities and bodies may include national, regional, and local authorities, the term may also stretch to include other bodies that are governed by public law. In such instances, the designation of a DPO is obligatory.^[4] Even in the instances where a natural or legal person exercises a public task, there is the need to designate a DPO. The WP29 also recommends that in instances where private organizations carry out public tasks, they also designate a DPO. Article 37(1)(a) GDPR makes clear that judicial authorities are excluded from the requirement to have a DPO, the reason for this being the principle that the judiciary should be independent from the enforcement provisions of the GDPR.^[5] However, this derogation does not apply in instances where personal data processing is carried out by court administrations when they act as public authorities in a way that is linked to their judicial mandate.^[6]

(b) Regular and Systematic Monitoring

Article 37(1)(b) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve regular and systematic monitoring of data subjects on a large scale. This concept of “regular and systematic monitoring” of data subjects is mentioned in Recital 24 GDPR, and includes “all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising”.^[7] Monitoring of data subjects can also take place outside of the context of an online environment. Specifically, the WP29 has interpreted “regular” to mean: Ongoing or occurring at particular intervals for a particular period; Recurring or repeated at fixed times; Constantly or periodically taking place. And interpreted “systematic” to mean: Occurring according to a system; Pre-arranged, organized or methodical; Taking place as part of a general plan for data collection; Carried out as part of a strategy. Examples given of regular and systematic processing activities include the operation of a telecommunications network, data-driven marketing, and location tracking, among others.^[8] Recent judgments by Data Protection Authorities in Europe have shown that that fines will be issued for failing to appoint a DPO in instances where one is necessary. For example, on November 10^th 2020 the Spanish Data Protection Authority (AEPD) issued a €50,000 fine against Conseguridad SL for failing to appoint a DPO.^[9] The AEPD held that since Conseguridad SL was processing the personal data of a large number of people through its installation of video surveillance cameras, it was therefore in breach of Article 37(1)(b) GDPR by not having a DPO.^[10]

Article 37(1)(c) GDPR: Special Category or Data Relating to Criminal Convictions and Offences”

In a similar fashion to Article 37(1)(b) GDPR, Article 37(1)(c) GDPR imposes the obligation of appointing a DPO on controllers or processors whose core activities involve, on a large scale, the processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR. This requirement is evidently related to the importance that there is someone within the controller’s organisational structure that understands the sensitivity of the data that is being processed, and is well versed in what the processing of this kind of data implies.

'Large-Scale' and 'Core Activities'

Article 37(1)(b) GDPR and Article 37(1)(c) GDPR also extends the requirement to appoint a DPO to controllers or processors whose core activities require either the regular and systematic monitoring of data subjects on a large-scale, or involve processing of data under Article 9 GDPR or Article 10 GDPR Recital 97 GDPR clarifies that the core activities of a controller are those relating to “primary activities and do not relate to the processing of personal data as ancillary activities”. The WP29 has clarified that the notion of ‘core activities’ can be considered as “the key operations necessary to achieve the controller’s or processor’s goals”.^[11] However, the ‘core activities’ should not be interpreted in such a way that they exclude processing operations that form an inextricable part of the controller’s or processor’s activities. The example given for this by the WP29 is a hospital which provides healthcare. Here, a hospital would need to process health data in order to be able to effectively provide healthcare. In this instance, the processing of data should be considered to be part of a hospital’s core activities, and therefore the hospital would be obliged to designate a DPO.

The term ‘large-scale’ with regards to processing is also not defined in the GDPR. However, Recital 91 GDPR sheds some light on what it may mean, noting that large-scale processing operations might aim to “process a considerable amount of personal data at regional, national, or supranational level” and might “affect a large number of data subjects”. In this regard, the WP29 Guidelines mention four criteria with which the large-scale nature of processing operations can be assessed: (i) the number of data subjects concerned, (ii) the volume and range of data being processed, (iii) the duration or permanence of the processing, and (iv) the geographical extent of the processing activities. Examples given by the WP29 of large-scale processing activities include the regular processing of patient data in hospitals, or the processing of data by telephone or internet service providers. In contrast, the processing of personal data by an individual physician, for example, would not be considered large-scale processing.^[12]

(2) Group Undertakings

Article 37(2) GDPR and Article 37(3) GDPR permit the designation of a single DPO for a cluster of undertakings or several public authorities or bodies. Article 37(2) GDPR states that a single DPO can be appointed for multiple undertakings, as long as the DPO is easily accessible from each establishment. The WP29 has clarified that this notion of accessibility refers to the DPO not only serving as a contact point for data subjects and DPAs , but also as a contact point internally for the organisation itself. The latter is evident from Article 39(1) GDPR, which states that one of the tasks of a DPO is to “to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation”. Therefore, it is also important to make sure that the contact details of the DPO are available both externally and internally.^[13]

(3) Multiple Public Authorities or Bodies

Article 37(3) GDPR takes a similar approach, stating that multiple public authorities or bodies may also appoint a single DPO, once their organizational structure and size has been taken into account. If a single DPO is to be appointed for a variety of tasks and across such entities, it is the task of the controller or processor to ensure that the DPO can perform their activities efficiently. In other words, their acting in capacity for multiple entities must not hinder the effective execution of their tasks. To ensure that a DPO is effective, the WP29 recommends that they be located within the European Union, regardless of whether the controller or processor themselves is also established in the Union.^[14]

(4) Other Circumstances in which to Designate a Data Protection Officer

Article 37(4) GDPR stipulates that in instances other than those referred to in Article 37(1) GDPR, it may still be recommended or required by Member State law that a controller or processor, or groups of such, designate a DPO. This DPO may then act for such associations or other bodies representing controllers or processors. For instance, a DPO in this context could be useful in advising the groups of controllers or processors on frequently encountered issues, and could also serve as a communication channel between the represented controllers and processors, and the competent DPAs.^[15]

(5) Expertise and Skill of the DPO

Article 37(5) GDPR specifies that the DPO shall be designated on the basis of their professional qualities and expert knowledge of data protection law. In particular, this provision makes reference to Article 39 GDPR, which details the DPO’s tasks. These include, but are not limited to, tasks such as informing and advising the controller and processor of their obligations under the GDPR; monitoring compliance with the GDPR and assisting in assigning responsibilities and training staff involved in processing operations; providing assistance with Data Protection Impact Assessments (DPIAs) where needed and monitoring compliance with them; and finally, cooperating with the DPA and acting as a channel of communication.

Recital 97 GDPR also states that the necessary level of expert knowledge that the DPO should have should be determined according to what processing operations are being carried out, and what level of protection is necessary for the data that is being processed. The more complex the processing activities are, and the more measures of protection are needed, the more ‘knowledgeable’ the DPO will have to be. However, as Article 39 GDPR clearly establishes, a DPO will need to know their way around the GDPR well enough in order to be able to effectively carry out the tasks required of them. Although Article 37(5) GDPR does not specify the specific qualifications that a DPO must have, knowledge of the business sector, along with an understanding of the controller and their tasks, will be an asset.

(6) DPO on the Basis of a Service Contract

Article 37(6) GDPR allows a designated DPO to be either a controller or processor’s staff member, or to alternatively be appointed on the basis of a service contract. This provision can be interpreted as providing added flexibility to the controller or processor in deciding how to best employ a DPO for their organisation. Importantly, it also does not require that the DPO be an entirely impartial body who is not associated with the controller or processor, much like an independent auditor might be. However, it is essential that the DPO fulfils the applicable requirements of Section 4 of the GDPR – for instance, that they have no conflict of interests.

(7) Contact Details of the DPO

Finally, Article 37(7) GDPR requires that the controller or processor publish the contact details of the DPO, and communicate these to the relevant DPA. One can interpret that this provision’s objective is the facilitation of communication and transparency between the data subject or DPA and the DPO. It is important to note, however, that this provision does not require that the name of the DPO be published; in other words, contact details may include the contact email address, but do not have to necessarily result in the publication of any personal data.

Decisions

→ You can find all related decisions in Category:Article 37 GDPR

References

↑ EDPS, ‘Position Paper on the Role of Data Protection Officers in Ensuring Effective Compliance with Regulation (EC) 45/2001’, 28 November 2005, p. 3 (available here).
↑ EDPS, ‘Position paper on the role of Data Protection Officers of the EU institutions and bodies’, 30 September 2018, p. 14 (available here).
↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017 (available here).
↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017 (available here).
↑ Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).
↑ Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).
↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 8 (available here).
↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 9 (available here).
↑ Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).
↑ Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).
↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 7 (available here).
↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 8 (available here).
↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 10 (available here).
↑ WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 11 (available here).
↑ Alvarez Rigaudias, Spinas, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 37 GDPR, p. 695 (Oxford University Press 2020).

[1] EDPS, ‘Position Paper on the Role of Data Protection Officers in Ensuring Effective Compliance with Regulation (EC) 45/2001’, 28 November 2005, p. 3 (available here).

[2] EDPS, ‘Position paper on the role of Data Protection Officers of the EU institutions and bodies’, 30 September 2018, p. 14 (available here).

[3] WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017 (available here).

[4] WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017 (available here).

[5] Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).

[6] Alvarez Rigaudias, Spinas, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 37 GDPR, p. 692 (Oxford University Press 2020).

[7] WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 8 (available here).

[8] WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 9 (available here).

[9] Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).

[10] Data Protection Authority Spain (AEPD), PS/00251/2020, 29 October 2020 (available here).

[11] WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 7 (available here).

[12] WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 8 (available here).

[13] WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April 2017, p. 10 (available here).

[14] WP29, Guidelines on Data Protection Officers (“DPOs”)”, WP 243 rev.01, 5 April 2017, p. 11 (available here).

[15] Alvarez Rigaudias, Spinas, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 37 GDPR, p. 695 (Oxford University Press 2020).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]