Data Protection Officer
Regulation (UE) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) will be directly applicable in all the Member States of the European Union starting with the 25th of May 2018.
An element of novelty that this European normative act brings to the Romanian legal framework is the establishment of the mandatory designation at the level of the data controller or processor, in some cases, of a data protection officer.
In order to ensure a harmonised application of the General Data Protection Regulation, Article 29 Working Party issued the Guidelines on Data Protection Officers (DPO), accessible on the dedicated section on the General Data Protection Regulation http://www.dataprotection.ro/index.jsp?page=Regulamentul_nr_679_2016, on the website of the National Supervisory Authority for Personal Data Processing.
I. Situations is which the designation of a data protection officer is mandatory
- where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
What does it mean “core activities”?
In order to establish the core activity of a data controller or processor, it should be analysed by reference to the data processing carried out.
What does it mean “Regular and systematic monitoring”?
This involves all forms of tracking and profiling on the Internet, including for the behavioural advertising, but not restricted in the online environment.
The term "periodic and systematic" implies a continuous and recurrent activity involving data processing.
What does the processing “on large scale” mean?
When determining whether the processing is carried out on a large scale the following 4 criteria should be considered:
the number of data subjects - a specific number or a proportion of the relevant population;
the volume of data and/or the range of different data items being processed;
the duration, or permanence, of the data processing activity;
the geographical extent of the processing activity.
What does it mean “special categories of data”?
Special categories are those data that reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Examples of situations that may constitute regular and systematic monitoring of the data subjects:
- managing a telecommunication network;
- profiling and scoring for the purposes of risk assessment (for example, for credit, insurance premiums, fraud prevention, money laundering);
- location tracking, for example through mobile applications (geo-location);
- developing loyalty programs;
- monitoring the health through portable devices;
- closed-circuit television – CCTV;
- processing of patient data by a hospital;
- processing of content data, location data, traffic data by Internet service providers;
- processing of personal data by insurance companies;
- behavioural advertising.
When it is not necessary to designate a data protection officer?
- when the personal data processing is not carried out on a large.
processing of patient data by an individual medical office;
processing of personal data relating to criminal convictions and offences by an individual law firm.
Although in some cases it is not necessary to designate a data protection officer, the Supervisory Authority recommends the appointment of such a person, as it is useful for the data controller to comply with the obligations in the field of personal data protection.
II. Who can perform the function of data protection officer?
Article 37(5) of Regulation EU 2016/679 provides that the data protection officer “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.
Data protection officer
- in the public sector,
- in the private sector, related to the situations expressly provided by Article 37 of GDPR
The data protection officer can be an employee of the data controller/processor or can exercise the function on the basis of a service contract.
In the public sector, it may be designated for several public authorities or institutions, taking into account their organizational structure and size.
Expertise and skills:
It should have the ability to perform the tasks. In this sense, certain personal qualities (e.g. integrity and professional ethics), knowledge and also a certain position within the organization are necessary.
It should have certain professional qualities, as follows:
- expertise in national and European data protection laws and an in-depth understanding of the GDPR;
- the required level of knowledge in the field of data protection depending on the data processing operations performed and the level of protection required for the processed personal data;
- to understand the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller;
- in the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.
The main concern of the data protection officer is to be in compliance with the General Data Protection Regulation and the applicable national regulations.
The data protection officer is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
The data controller or the processor, in relationship with the data protection officer, is required:
- to publish the contact details of the data protection officer (a postal address, a dedicated telephone number and/or a dedicated e-mail address);
- to communicate the contact details to the National Supervisory Authority for Personal Data Processing.
The data protection officer is allowed to fulfil other tasks.
The DPO can be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments).
The DPO should not be dismissed or penalised by the controller or the processor for performing their tasks.
For example, the DPO cannot be dismissed for providing an advice according to its tasks.
A DPO could be however dismissed legitimately for reasons other than for performing his or her tasks as a DPO.
For instance, the DPO can be dismissed in case of theft, harassment or similar gross misconduct.
III. Tasks of the DPO
- to inform and advise the controller or the processor, as well as the employees who carry out data processing;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions in relation to the protection of personal data;
- to provide advice as regards the data protection impact assessment and monitor its performance;
- to cooperate with the Supervisory Authority and to act as the contact point;
- to take due account of the risk associated with the processing operations in the performance of its tasks.
For more information, we recommend to consult the Guidelines on Data Protection Officers (DPOs), accessible in the section referring to the New Regulation on the website of the National Supervisory Authority for Personal Data Processing – www.dataprotection.ro.
Legal and communication Department