by André Mendes Costa, masters student at University of Minho
In an ever changing world of information technologies, privacy and data protection inevitably attracts considerable attention.
The Portuguese Data Protection Law and the EU Directive 95/46 will be soon replaced by a new European and National legal framework. In fact, the new General Data Protection Regulation (GDPR) alters profoundly the paradigm of the personal data protection legal regime. The 679/2016 Regulation (GDPR) is part of a new European community legislative package which also includes a directive that lays down the procedures for dealing with personal data by the competent authorities for the purposes of prevention, research, detection and prosecution of criminal offences or the execution of criminal penalties. The Regulation came into force on 25th May and establishes a vacancy period of 2 years, providing the necessary time for the public and private sectors to equip themselves to face the new regulatory demands.
This brief analysis concentrates on the post of the data protection officer (DPO), on his/her duties and competencies and on those entities who are responsible for his/her appointment.
In the new European legislation there is an important change of paradigm in the protection of personal data namely the suppression – with a few exceptions contained in the Regulation – of the requisite of pre notification to the National Commission of Data Protection (NCDP). This change assigns to the person responsible for the processing of data the onus of legal guarantor of his/her cases, thus fully observing the Regulation. In fact, in the cases where there is no prior notification to the competent authority (NCDP), the Regulation has found other forms of guarantying that the processing of personal data is legally protected by creating the post of a data protection officer (DPO).
According to the Regulation, the appointment of a DPO will be obligatory for a number of controllers and processors namely those of and/or on behalf of public authorities or bodies, private firms whose main activity is large scale systematic treatment of personal data as well as other firms that process special data categories in large scale.
However, firms in general may voluntary appoint a DPO, a practice that is recommended by the Regulation – Article 29 WP – itself. The Article 29 Working Party was set up under Article 29 of Directive 95/46/EC, and it’s an independent European advisory body on data protection and privacy. It is composed of representatives of the national data protection authorities (DPA), the EDPS and the European Commission.
The existence of a DPO in an organization can and must be seen as having a commercial advantage: it strengthens transparency, it enhances the trust of the data subject, boosting the relationship between these and the person responsible for treating personal data.
The concept of a DPO is not new. Notwithstanding the fact that the 95/46/CE Directive does not make it obligatory for firms to appoint DPOs, this has been common practice amongst EU Member States, especially in Germany.
DPOs will play a special role in the future of privacy and data protection. They will be responsible for the control of the compliance of controllers and processors policies in data protection treatment with the new regulation, not forgetting other legal provisions. The DPO should act as an intermediary between relevant stakeholders (e.g. supervisory authority, data subjects and organizational business units). This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned (WP 29 Guidelines on Data Protection Officers).
However, DPOs will not have any responsibilities in the case of violation of the Regulation. In fact, it will be up to the controller or the processor the application of the technical and organizational measures that ensure and prove the compliance with the Regulation norms [article 24 (1)].
DPOs must be given total autonomy and access to all data processing in order to fulfil his/hers duties in an effective way.
DPOs must inform and give advice to the person responsible for the processing of data, as well as to those who work in the organization directly with the latter, and to counsel, whenever asked, on issues related with the evaluation of impacts on data protection [article 39 (1)].
Article 37(5) states that DPOs must be appointed based on professional competencies, especially expert knowledge of law and of privacy and data protection practices.
Although the Regulation does not define the most suitable professional qualifications needed for a DPO, the provisional guidelines published in December 2016 (WPN29) state that a DPO should have solid knowledge of National and European legislation on data protection, as well as detailed knowledge of Regulation 679/2016.
Furthermore, a DPO must be familiar with the business area of the person responsible for the processing of data and have a satisfactory understanding of all the processes undertaken, as well as of the existing information system. For example, in the case of a public body, the DPO should have knowledge of administrative law and of administrative procedural law. In this context, the role that a DPO will play will be essentially a legal one, ensuring that there is compliance with existing legislation.
However, one should not disregard the fact that a DPO should have knowledge in the area of informatics. In fact, Article 32 of the Regulation refers pseudonymization and encryption of data as adequate technical and organizational means that ensure on going confidentiality, integrity and availability of data. Thus, the Regulation demands that knowledge on law and informatics go together, so that safety and transparency in the processing of data can be attained.
DPOs can be a staff member of the organization, even performing other tasks or duties or hired on the basis of a services contract. When the DPO is a member of the organization, the controller or the processor should guarantee that there is no conflict of interests with the DPO’s roll.
According to the Article 29 WP, “the absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that they do not give rise to conflicts of interests.” The controller or the processor are responsible for the selection of those organizational positions that do not lead to a situation of conflict of interests. Therefore, they should create internal regulation that prevents and avoids that conflict: Codes of conduct.
Last October, a German company was fined by the “Bavarian Data Protection Authority” (BayLDA – https://www.lda.bayern.de). The company was penalized for having their IT Manager as data protection officer. The BayLDA said that the IT manager could not act as internal DPO, because he had to monitor himself (here). This dual function of the IT Manager is incompatible with the German rules and with Regulation 679/2016. The DPO should act with total independency and cannot have a conflict of interests. This issue should concern all the public entities and bodies, as well as all the private companies that need to appoint a DPO till May of 2018.
In this context, it is expected that any employee who is related to the treatment of personal data of the company, be it the marketing department, human resources and even the legal department, may be prevented from being designated as a DPO, attending the conflict of interests that may be involved. Thus, the DPO must assume a position of total autonomy and independence to the entity to which he provides the service, not receiving any guidance from the administration. This can raise another relevant issue: if the data protection officer is part of the entity’s staff, can the existence of a labour contract affect their autonomy and independence? According to the Portuguese Labour Law, in article 11, employment contract is one by which a single person undertakes, by way of remuneration, to provide his or her activity to another or other persons, within the organization and under their authority. Can a DPO have a labour contract, and still work with total independency and autonomy? Probably, to ensure the compliance with the GDPR, the DPO should be hired on the basis of a services contract.
With the reforming of the European data protection legal framework, DPO’s play an important role as they must ensure that both public and private entities comply with the new rulings on data protection. It is a highly responsible position especially given the widespread use of data collection in current society. Finally, it should be emphasized that both Article 8 of the EU Charter of Fundamental Rights and Articles 26 and 35 of the Portuguese Constitution recognise privacy and data protection as fundamental individual rights.
Picture credits: Untitled by HypnoArt.