EU A29WP Releases Data Protection Officer Guidelines

    Feb 08, 2017

    The EU’s Article 29 Working Party has published new guidelines on the role of data protection officers (DPOs) under the General Data Protection Regulation (GDPR).

    DPOs are considered a cornerstone of data protection compliance, and the guidelines will require many businesses to appoint a DPO. The guidelines also provide businesses with useful information on the appointment and responsibilities of DPOs.

    According to the guidelines, a DPO is a person (either an employee or an external consultant) who is given formal responsibility for data protection compliance within a business. Under existing EU data protection law, the approach to DPOs varies from one member state to the next. In most cases, it is not currently mandatory to appoint a DPO. However, the guidelines may change that.

    Article 37(1) of the GDPR requires a member state to appoint a DPO if:

    • The relevant data processing activity is carried out by a public authority or body;
    • The core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale; or
    • The core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.

    The guidelines recommend that businesses should keep records of any decision to appoint, or not appoint, a DPO, and any analysis undertaken in connection with that decision. The guidelines detail the appointment of a DPO:

    • Appointing a DPO voluntarily: A business can voluntarily appoint a DPO even if it is not legally required to do so. However, it is important to note that a business that appoints a DPO voluntarily must still comply with the full range of DPO-related compliance obligations, just as if they were required to appoint a DPO.
    • Appointing a non-DPO to a data protection compliance role: Businesses that are not mandated to appoint a DPO may instead appoint other staff to perform tasks relating to data protection compliance. But such staff should not be referred to as “DPOs” or “Data Protection Officers” (even informally) to avoid any risk of confusion.
    • Appointing a group DPO: A single DPO can be appointed for a corporate group (or several entities within a group) if he or she is easily accessible from each business location for which he or she is responsible. This requires that the communication with the DPO may take place in the language used by the respective data protection authorities and data subjects.
    • Appointing DPO team: Depending on the size and structure of a business, it may need a team of individuals (a formal DPO and his/her staff) to fulfil the DPO obligations. If a business decides to adopt this approach, it will need to clearly establish the roles and responsibilities within that team and designate a lead contact who is responsible for that team.
    • Appointing an external DPO: A business may appoint an external contractor as its DPO (as opposed to an employee) as long as he or she possesses sufficient knowledge of the business and its data processing activities to fulfill the role. A team of individuals within an external service provider may also be appointed to take on the DPO role, with a single individual acting as lead contact.

    According to the guidelines, a qualified DPO candidate will possess appropriate professional qualities and expert knowledge of data protection law. The required level of expertise will vary depending on the business – the more complex or high risk the data processing activities are, the greater the expertise of the DPO will need to be.

    DPOs also must be autonomous and independent, meaning the business must not instruct him or her on how to do the job, and the DPO must be above conflicts of interests that occur within the business. The guidelines suggest that businesses create internal rules and safeguards to ensure that the DPO is able to act independently and without conflicts of interest.

    To help ensure that DPOs can work autonomously and independently, they are protected by the GDPR from unfair dismissal /termination for reasons relating to their performance of the DPO role. This means businesses can’t remove a DPO just because he or she adopts a risk-averse approach to data protection compliance. A DPO who is an employee of the business also may be protected by local employment law in some EU member states, making it hard for businesses to fire DPOs. However, the GDPR does not protect a DPO from dismissal/termination for reasons that are separate from their performance of the DPO role. If a business hires an external contractor as its DPO, he or she receives the same protections provided by the GDPR to other DPOs.

    According to the guidelines, businesses must involve the DPO in all issues related to data protection compliance from the start and give the DPO all the necessary resources to fulfill his or her role, including senior management support, training, and financial resources. The DPO is responsible for monitoring the business’s compliance with GDPR, advising the business on data protection issues, and carrying out data protection impact assessments.

    A business may disagree with its DPO and may not follow its DPO’s advice, the guidelines state. However, the business must document in writing its reasons for not following the DPO’s advice. In addition, the DPO’s job is to monitor the business’s compliance with the GDPR, but he or she is not liable if the business is not compliant.

    If a business fails to fulfill its obligations regarding the appointment and support of a DPO under the guidelines, it could face fines up to a maximum of the greater of €10 million or 2% of worldwide turnover.

    The guidelines may be accessed here: Guidelines on Data Protection Officers.


    The online Global Policy Brief is intended to help you stay current on international news and events. Further information about the issue is accessed by clicking on the link provided at the end of each summary.

    Want to sign up to receive an email version of the Global Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.

    © 2017, ARMA International