Out-Law Analysis 8 min. read

Data protection officers – will EU businesses face an obligation to appoint one?

FOCUS: In 2012 the European Commission set out plans to require a large number of organisations operating in the EU to appoint a data protection officer (DPO) but now EU ministers want to remove the requirement from proposed new EU data protection laws.

However, even if the current ministerial plans survive on-going negotiations on the reforms, businesses could still face an obligation to appoint a DPO under national laws across the trading bloc.

So what do the proposals for a new General Data Protection Regulation currently say, and what are the existing requirements facing businesses in Germany regarding the appointment of a DPO?

The draft General Data Protection Regulation

In January 2012, the European Commission published plans to overhaul the existing data protection framework in the EU. It published a draft new General Data Protection Regulation with the intention of it setting a single data protection law that would apply uniformly across the EU. A new EU Directive on data protection is planned in conjunction with the new Regulation. It would separately set rules on personal data processing by law enforcement bodies.

The new Regulation would, if introduced, replace the fragmented nature of the national data protection laws that currently exist across the 28 EU member states under the umbrella of the EU's 1995 Data Protection Directive.

Under the Commission's proposals, all public bodies, business with more than 250 permanent staff, and organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" would be required to appoint a DPO.

DPOs would need to be appointed for a period of at least two years, but could be either an internal employee or a person external to the organisation. However, in either case the DPO would have to "be in a position to perform their duties and tasks independently".

DPOs would require to have "expert knowledge of data protection law and practices" to the extent that they would be able to fulfil requirements specified in the Regulation, such as being able to advise on their employers' compliance with the data protection rules, assign data protection training to staff, liaise with regulators over personal data breaches and monitor the performance of organisations' data protection impact assessments.

DPOs would also need to adhere to suitable professional qualifications. The Commission proposed to retain the power to set out criteria for the type of qualifications DPOs would have to obtain.

The Commission's proposals did include giving some flexibility to those organisations that would be required to appoint a DPO. It said it would in some circumstances be legitimate for public authorities to appoint only one officer to cover "several of its entities", and said only one officer would need to be appointed across group companies.

EU bodies propose changes to the DPO requirements

The Commission's draft General Data Protection Regulation has been subject to heavy scrutiny and proposed revision by the European Parliament and the Council of Ministers (the Council) since it was first published. The two EU law making bodies have been working on separate amended versions of the Regulation but must reach agreement on a single text before the new laws can be brought into force.

According to its version of the draft Regulation, which was agreed by MEPs in March last year, the European Parliament wants to change the criteria determining which businesses should be required to appoint a DPO.

It said the number of staff a business has should not determine whether or not it should have to appoint a DPO, rejecting the Commission's plans to require businesses with more than 250 permanent staff to appoint such an officer. Instead it said businesses should have to appoint a DPO where they process personal data relating to "more than 5000 data subjects in any consecutive 12-month period".

The European Parliament backed the Commission's plan to get organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" to appoint a DPO. However, it also proposed that businesses whose core activities consist of processing so-called 'special categories' of data, location data or data on children or employees in large scale filing systems, should also have to appoint a DPO. 'Special categories' of data include information such as individuals' health data or about their religious or political beliefs.

The European Parliament believes that where a DPO must be appointed, they should be appointed for at least four years if they are an employee of the company or at least two years if they are an "external service contractor". The remaining provisions relating to DPOs in the European Parliament's proposals either remain unchanged from the Commission's draft or have only be altered slightly.

By contrast, the Council looks set to push for any requirement for the mandatory appointment of DPOs to be removed from the final Regulation, although some countries including Germany and Hungary would still prefer for mandatory conditions to be set.

The Council has been significantly slower in scrutinising the Commission's plans than the European Parliament and has yet to reach a consensus on the reforms. National justice ministers from across the EU who make up the Council have, however, reached provisional agreement on some areas of the Regulation, including on the provisions relating to DPOs. This agreement has been reached on a "nothing is agreed until everything is agreed" basis.

Under the Council's plans, no organisation would be under an obligation to appoint a DPO (44-page / 491KB PDF) unless required to do so under other EU legislation or the national laws of individual EU member states.

Instead, the Council said organisations "may" appoint a DPO and goes on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently of the organisation, whether they are an employee or external contractor, are designated on the basis of professional qualifications and have sufficient expertise on data protection matters to be able to fulfil the tasks specified in the Regulation.

Under the Council's proposals, businesses would have to ensure DPOs report to "the highest management level" in their organisation, and ensure that the activities of the DPO "do not result in a conflict of interests".

The position in Germany

The new General Data Protection Regulation is still many months from being finalised, and even then it would only come into force a couple of years later. With diverging opinions among EU law makers on whether or not businesses and public bodies should be required to appoint a DPO, it is unclear which opinions will prevail.

However, as the Council's position makes clear, businesses are likely to at least be required to appoint DPOs in accordance with national legal requirements across the different countries in the EU.

UK data protection laws do not currently require any organisation to appoint a DPO, although the Information Commissioner's Office (ICO), the UK's data protection watchdog, has previously said the new Regulation should require some businesses to appoint one. However, it objects to company size being a criteria for determining whether or not the DPO obligation should apply, and instead said criteria based on "the number of data subjects the organisation processes data about and / or the nature of the data concerned" would be more appropriate.

The ICO said, though, that organisations involved in large-scale personal data processing or risky processing should not have to employ a specialist data protection officer if they "have effective processes in place for ensuring data protection compliance".

There is also no DPO obligation in France, although some businesses will appoint one to aid them with matters of compliance. However, in France, if a DPO is appointed by an organisation, there is a requirement that the DPO is independent and that the competent employees representation body is given prior written information about the appointment.

The position is quite different in Germany where some businesses are already required by law to appoint a DPO.

The requirement to appoint a DPO under German law kicks in where a business permanently employs at least nine people involved in the automated processing of personal data, or where at least 20 people are employed in the non-automated processing of personal data. Failure to appoint a DPO, or appointing a DPO who is not sufficiently qualified, can result in fines of up to €50,000 being served on organisations.

The main purpose of the DPO in Germany is to act as an independent self-regulator of a business' compliance with data protection laws, including conducting prior checks of certain data processing measures. As well as being fully independent, the DPO must be suitably qualified. This means they must have legal, technical and organisational qualifications and competence and have profound knowledge of Germany’s data protection laws, even though they need not be lawyers. DPOs can be required to adhere to specific qualifications depending on which sector they work in.

In Germany, it is common for DPOs to be external specialised DPO service agencies or small law firms not engaged in day-to-day privacy advice. There are potential conflicts of interest that could arise where legal advisers to an organisation also operate as the organisation's DPO.

DPOs in Germany enjoy special dismissal protection under employment laws in the country. Where the DPO is employed by a company, their employment may only be terminated for good cause, such as for severe breach of their duties, severe breach of non disclosure obligations or stealing, discriminating of other employees or other major indiscretions. Employed DPOs also cannot generally have their employment terminated within a year after moving from their role as DPO to another job within the company.

Contracts between German companies and external DPOs must provide for termination rights with at least a six months notice period.

Primary responsibility for adhering to German data protection laws lies with the company’s management, but DPOs can be held liable based on a breach of the underlying service or employment contract they have with the company. External DPOs' service contract may include specific liability limitations, however, and internal DPOs' liability is limited to intentional violations and acts of gross negligence by statutory German employment law.

DPOs in Germany are not liable for data protection deficiencies which they notified the company decision makers about but which those executives ignore. DPOs can, though, be held liable for a privacy breach based on the law of tort, which is essentially a wrongful act from which damages can be payable in civil cases.

Where will the data protection officers come from?

As we discussed in a previous podcast, there remains the question of where all the data protection officers will come from should the new Regulation mandate their appointment.

Currently there are a range of different qualifications that individuals looking to become DPOs can obtain. In the UK, the Chartered Institute for IT (BCS) runs a five day course followed by an exam based on the rules set out in the UK Data Protection Act. A new BCS foundational certificate will also soon be available.

Other data protection qualifications can also be obtained, including CIPP certification from the International Association of Privacy Professionals (IAPP). There are a number of different CIPP certification qualifications, with some tailored for individuals looking to operate as a DPO in the US or Canada. Another CIPP certification is based on existing EU data protection standards, and there is a UK-specific certification also offered by CIPP which relates to the Data Protection Act.

The different certification schemes vary in their rigour. Organisations and prospective DPOs will want to know which qualifications are considered to make the grade should mandatory DPO conditions be imposed in the finalised General Data Protection Regulation. Rigour might be best assessed by establishing how long it takes to complete a course and obtain the qualification, what fail rate there is and how thorough the course is in looking into data protection rules and matters of compliance.

Marc Dautlich and Stephan Appt are data protection law specialists at Pinsent Masons, the law firm behind Out-Law.com

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.