In today’s digital world, the protection of personal data is a high priority for both citizens and companies. The EU’s data protection regulation, also known as GDPR, requires certain companies to appoint a data protection officer (DPO) in extension of their core activities and organizations.
Violating this obligation can lead to large administrative fines that can reach up to EUR 10,000,000 or 2% of the company’s total global turnover. It is therefore important to investigate whether your company is obliged to appoint a DPO.
For public authorities, it is mandatory to appoint a DPO. For other companies/organizations, the requirement applies if their main activity consists of processing personal data to a large extent, or if the nature of the processing or its purpose requires it. For example, a security company that carries out surveillance is obliged to appoint a DPO, since the core activity of this company is the taking of images and/or recording of personal data for the purpose of surveillance.
It is also relevant to appoint a DPO if a significant amount of personal data is collected and processed. This may for example be the case in connection with behavior-based advertising in a search engine, processing of customer geodata in an international chain or travel data and tracking data in connection with customer service. This list is not exhaustive and it is important to make a concrete assessment of the amount and type of personal data processed before deciding whether the company is obliged to appoint a DPO.
Furthermore, a company will be obliged to appoint a DPO if its main activities consist of regular and systematic monitoring of personal data on a large scale. This can, for example, include all forms of tracking and profiling on the internet for the purpose of behavior-based advertising or ongoing assessment of customers’ creditworthiness. It may also include location tracking via mobile apps, loyalty programs or surveillance.
If the core activity of the company consists of processing sensitive personal data or information relating to criminal matters to a large extent, the company will also be covered by the DPO requirement.
When a company has established that it is obliged to, or voluntarily wishes to appoint a DPO, it must decide whether the DPO should be internal or external. The DPO must be independent from management and must not be instructed in the performance of his duties.
Regardless of whether you choose an internal or external DPO solution, it is important that the DPO is linked to senior management and that the reporting takes place there. However, this does not mean that the top management can instruct the DPO in its tasks, as the DPO must be considered an independent body in the company and be unaffected. This is also the reason why the DPO cannot be dismissed in connection with the performance of its work.
If the company chooses to appoint an internal DPO, this must have sufficient expertise and it must be ensured that the DPO is not assigned other tasks that could lead to conflicts of interest.
If an external DPO is chosen, a written agreement must be entered into with the external DPO, which ensures that the DPO has sufficient expertise and resources to carry out the tasks efficiently and independently.
The DPO’s primary tasks are to inform the company about its data protection legal obligations, monitor whether the company complies with the legislation and assist the company with tasks, information, campaigns, etc. A DPO can also be a positive role in the company, as it contributes to ensuring compliance with the legislation and thus gives customers security and trust in the company.
For many companies, it can be difficult to assess whether there is an obligation to appoint a DPO or not. In this situation, it may be a good idea to seek professional help and advice.
If you are in doubt as to whether your company is obliged to employ a DPO, you are welcome to contact DreistStorgaard, who can help assess the need for a DPO and possibly take on the role of DPO in the company.
By associate attorney Sylvester Strand Thomsen
Certified CIPP/E and ISO 27701/2