Topic 5 role of the DPO This guide

Topic 5: role of the DPO This guide was produced by the STAR project (Support Training Activities on the data protection Reform; 2017 -2019), which is co-funded by the European Union under the Rights, Equality and Citizenship Programme 2014 -2020 (RECRDAT-TRAI-AG-2016) under Grant Agreement No. 769138. More information, and other GDPR training resources can be found at: www. project-star. eu

Guidance for using these slides (remove before delivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assigned to a specific audience (see „relevant for: ” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i. e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc. ], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notes thoroughly Take a look at the reading materials – they also serve to assist you in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisional categorisation has been made based on the depth and importance of the respective content Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content 3

Speaker Name Title Department Contact details

These slides explores one of the most relevant changes in the new regime, which is the obligation for some organisations to appoint a Data Protection Officer (DPO), a corporate role tasked with facilitating compliance with the GDPR provisions. It gives an overview on when and how to appoint one, and what DPOs are tasked with. 5

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

Objectives Explain the role of DPOs in the protection of natural persons’ rights with regard to the processing of their personal data Provide an owerview on the activities of a DPA Help to create a better understanding of the operation of the national supervisory authority 7

Introductions What’s your level of experience with data protection? What do you know about a DPO? Is there anything in particular you are hoping to get out of today? 8

Relevant Articles of the GDPR concerning Data Protection Officers (DPOs) Not entirely new concept – introduced by Data Protection Directive 95/46/EC (some 38% of EU Member States made the appointment of a DPO compulsory in certain cases) GDPR: Data Protection Officer (DPO) a corporate role tasked with facilitating compliance with the GDPR provisions and other applicable data protection rules (Recital 97), in certain cases mandatory Designation of DPO (Art. 37. ) Position of DPO (Art. 38. ) Tasks of DPO (Art. 39. )

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

Designation of a DPO: When do I need a DPO? 5 -112020 | 11

When do I need a DPO? 1. 2. Mandatory DPO Public authority Regular and systematic monitoring of data subjects on a large scale Processing on a large scale of special categories of data/criminal convictions Voluntary Public authority Mandatory Voluntary Surveillance Sensitive data 5 -112020 | 12

Mandatory DPO: public authority Article 37 (1) (a) GDPR: “The controller and the processor shall designate a data protection officer in any case where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. ” • WP 29 considers that public authority is to be determined under national law • • • National Regional Local Other bodies governed by public law 5 -112020 | 13

Mandatory DPO: Surveillance Article 37 (1) (b) GDPR: “The controller and the processor shall designate a data protection officer in any case where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of data subjects on a large scale”.

What is a core activity? • • • Primary activities of the controller/processor = key operations necessary to achieve the business goal of a controller or a processor Core activity need not be the processing of personal data BUT that the processing is inextricably linked to the main activity of a business Examples – core activity surveillance • Advertising company • Private security company for monitoring shopping centres via video • Furniture store that sells furniture online and uses cookies to analyse its customers as the business strategy is to expand further across Europe • Personnel service provider for factories 5 -112020 | 15

What is NOT a core activity? If the processing of personal data is merely ancillary Merely ancillary means it is business supporting activity (administrative), that is not specifically linked to the strategy of a business Activities that most companies need to do are ancillary, e. g. HR, tax Examples ancillary activity Processing employee’s data for payment of their salaries Online shop stores customer data (name, delivery address) in order to deliver the shoes 5 -112020 | 16

Case studies regarding core activity 1. Social network - core activity? 2. Middle-sized factory building tractors, processing employee data – core activity? 3. Animal shelter using a Website to post pictures of animals in need of adopting – core activity? 4. Dating site – core activity? 5. Apps – core activity? 5 -112020 | 17

What is meant by “large scale”? How many data subjects are concerned? What volume of data is being processed? What range of different data items is being processed? How long does the data processing take place? What is the geographical reach of the data processing? 5 -112020 | 18

Case studies regarding large scale (& core activity) A private company offering public transport services uses key cards for access and use of its transport means (e. g. in Brussels or London). Core activity? Large scale? An international fast-food chain hires an analytics company to make statistics about its customers. Core activity? Large scale? A bank or insurance company processing data about their clients. Core activity? Large scale? A search engine of a search engine uses personal data of its users to personalise the advertisements it is showing them (behavioural advertisement). Core activity? Large scale? A regional telephone or internet service provider processes personal data in the ordinary course of business. Core activity? Large scale? An international dating app processes personal data in order to match registered users. Core activity? Large scale? 5 -112020 | 19

What is “monitoring”? 1. What is “monitoring”? All activities that record personal data to observe different behaviours (surveillance). Includes all kinds of profiling and tracking on the internet, including for behavioural advertising. Does not need to be online! 5 -112020 | 20

When is monitoring “regular”? Ongoing or occurring at particular intervals for a particular period, OR constantly OR periodically taking place. As soon as the monitoring is being repeated or can be easily repeated. One-time monitoring is not enough! 5 -112020 | 21

When is monitoring “systematic”? Monitoring is occurring according to a system, pre -arranged, organized or methodical. Results of monitoring are systematically recorded. Monitoring is not random in terms of time and place. 5 -112020 | 22

EXAMPLES: Regular and systematic monitoring (surveillance) Operating a telecommunications network or providing telecommunication services Data-driven marketing activities, including behavioural advertising Profiling and scoring for purposes of risk assessment (e. g. for the purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering) Location tracking, e. g. by mobile apps Loyalty programs Monitoring of wellness, fitness and health data via wearable devices Connected devices, e. g. smart meters, smart cars, home automation 5 -112020 | 23

Case studies: Regular and systematic monitoring (repeat of large scale) PART I A private company offering public transport services uses key cards for access and use of its transport means (e. g. in Brussels or London) displaying the name and photo of the passenger. Regular and systematic monitoring? 2) An international fast-food chain hires an analytics company to make statistics about its customers. The analytics company pseudonymised the data of each customer. Regular and systematic monitoring? 3) A bank or insurance company processing data about their clients. Regular and systematic monitoring? 1) 5 -112020 | 24

Case studies: Regular and systematic monitoring (repeat of large scale) PART II A search engine of a search engine uses personal data of its users to personalise the advertisements it is showing them (behavioural advertisement). Regular and systematic monitoring? 5) A regional telephone or internet service provider processes personal data in the ordinary course of business. Regular and systematic monitoring? 6) An international dating app processes personal data in order to match registered users. Regular and systematic monitoring? 4) 5 -112020 | 25

Exercise on mandatory DPO for surveillance A factory constructs lawn-mowers. VARIATION 1: They install a video surveillance system to record who is accessing and leaving the factory (the system does not collect special categories of data). They do the processing of the data from the system themselves. VARIATION 2: They employ a security company, to monitor access to their premises. The security company is tasked to record who is accessing or leaving the factory, and to identify all of the individuals. They install a video system for that purpose (they do not collect special categories of data). The security company specialises in workplace security enhancement of that kind and offers these kinds of services to several factories. Question: Does any of the actors need to designate a DPO? Why not? 5 -112020 | 26

Mandatory DPO: Sensitive Data Article 37 (1) (c) GDPR: “The controller and the processor shall designate a data protection officer in any case where: the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. ” 5 -112020 | 27

EXAMPLES Core activity – sensitive data 1. 2. Core activity – sensitive data EXAMPLE 1: Private hospital EXAMPLE 2: Private prison Large scale– sensitive data EXAMPLE 1: Private hospital EXAMPLE 2: An individual dentist uses a computer data base to store xrays and diagnosis of his or her patients. EXAMPLE 3: A lawyer processes personal data of his or her clients, including criminal convictions and offense 5 -112020 | 28

Case studies: processing on a large scale of special categories of data/criminal convictions as a core activity PART I 1) Running app: A running app requests the user to give the following data: age, weight, height. It then shows the BMI. It records each run the users takes, including length and time. It regularly asks the user to update the information, to track potential weight loss or gain. Core activity? Large scale? Sensitive data? 2) A social media network encourages users to state political preference/religion/philosophical beliefs. It uses the information it receives for behavioural advertising. Core activity? Large scale? Sensitive data? 5 -112020 | 29

Cae studies: processing on a large scale of special categories of data/criminal convictions as a core activity PART II 3) An international criminal law firm that has cases in several EU member states and in third countries, operates with a central client data base that also includes information on criminal convictions and offences. Core activity? Large scale? Sensitive data? 4) VARIATION of 3): A one man law firm introduces such a data base for his or her own clients. Core activity? Large scale? Sensitive data? 5) A physio-therapist/personal trainer keeps charts and information on each patient in an online system, including weight, height, medical ails etc. Core activity? Large scale? Sensitive data? 5 -112020 | 30

ATTENTION! üThere are no exceptions once you fall under one of the cases for mandatory DPO designation. üMember State instances. can add more mandatory üOther EU law can add more mandatory instances. 5 -112020 | 31

Voluntary DPO Article 37 (4) GDPR: “In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may (…) designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. ” 5 -112020 | 32

QUESTIONS about when do I need a DPO? 5 -112020 | 33

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

What does a DPO do? 5 -112020 | 35

Tasks of a DPO – Part I 1. All issues related to the protection of personal data DPO works on ALL data protection issues, not just those under the GDPR DPO applies a risk-based approach 2. Monitoring compliance with the GDPR Inform and advise the company and employees about their obligations Audits Awareness-raising and training staff 36

Tasks of a DPO – Part II 3. Role in data protection impact assessments It is in principle the task of the controller to conduct a data protection impact assessment. The controller must ask DPO for advice about: o if to carry it out o methodology o potential outsourcing o how to mitigate risks o conclusions 4. Direct reporting to senior management Article 38 (3) GDPR: “(…)The data protection officer shall directly report to the highest management level of the controller or the processor”. Reporting about all data protection activities Frequency depends on urgency Special attention to cases where DPO dissents with a data protection management decision

Tasks of a DPO – Part III 5. Cooperating with supervisory authorities and being a contact point for data subjects DPO should facilitate and mediate between its organisation and the supervisory authority. DPO should help the supervisory authorities to gain access to the necessary documents and information. DPO should also act as a contact point for data subjects that are having questions or issues with the processing of their personal data. 6. Optional tasks Record-keeping Data management systems Regular report over all data protection activities

QUESTIONS about what does a DPO do? 5 -112020 | 39

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

What are the organisational requirements for a DPO? 41

Organisational requirements for a DPO 1) DPO at the Controller or at the Processor 2) Status of the DPO within an organization 3) Necessary resources 4) Autonomy of the DPO 5) Secrecy and confidentiality 6) Publicity of DPO contact details 7) DPOs for more than one entity 5 -112020 | 42

1. DPO at the Controller or the Processor? Both Controllers and Processors can be required to designate a DPO Sometimes only the Controller designates a DPO Sometimes only the Processor designates a DPO EXAMPLE 1: A small family business active in the distribution of household appliances in a single town uses the services of a processor whose core activity is to provide website analytics services and assist with targeted advertising and marketing. EXAMPLE 2: A medium-sized tile manufacturing company subcontracts its occupational health services to an external processor, which has a large number of similar clients. 5 -112020 | 43

2. Status of a DPO within an organisation Article 38 (1) GDPR: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. ” ü DPO must be in a position to be involved in that manner. ü DPO must be involved as early as possible. ü DPO must be a discussion partner within an organisation for all data protection issues. 5 -112020 | 44

EXAMPLES for the correct position of a DPO The DPO is invited to participate regularly in meetings of senior and middle management. DPO is present when decisions with data protection implications are taken. The opinion of the DPO are always be given due weight. The DPO is promptly consulted once a data breach or other incident has occurred. The DPO is accessible. 5 -112020 | 45

3. Necessary resources for a DPO Article 38 (2) GDPR: “ The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. ” 5 -112020 | 46

4. Autonomy of a DPO Article 38 (3) GDPR: “The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks (…). ” no istructions no dismissal/penalty no conflict of interest 5 -112020 | 47

Autonomy of a DPO II 1. No instructions DPO must be independent within an organization. DPO must not be instructed how to deal with a matter, what result should be achieved in a certain data protection investigation, how to investigate a complaint or whether to consult the supervisory authority 2. No dismissal/penalty Example for wrongful dismissal: A DPO considers that a particular processing is likely to result in a high risk and therefore advises his or her company to carry out a data protection impact assessment, but the company does not agree with the DPO’s assessment, and therefore wants to dismiss the DPO to hire a colleague of whom they know that he will have a different opinion. 3. No conflict of interest Article 38 (6) GDPR: “The data protection officer may fulfil other tasks and duties. The controller or the processor shall ensure that any such tasks and duties do not result in a conflict of interests. ” 5 -112020 | 48

What constitutes a “conflict of interest”? A DPO cannot be the “controller” = A DPO cannot be the person who decides about the purposes and means of the personal data processing. ü Examples for incompatible positions: Chief executive Chief operating Chief financial Chief medical officer Head of marketing department Head of Human Resources Head of IT department ü 5 -112020 | 49

5. Secrecy and confidentiality Article 38 (5) GDPR: “The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union and Member State law. ” 5 -112020 | 50

6. Publicity of DPO contact details Who is “their” DPO must be known by all people working within an organization. Who is the DPO must be communicated to the supervisory authority. Who is the DPO must be communicated to the data subject. 5 -112020 | 51

7. DPOs for more than one entity In two instances a DPO can be appointed for more than one entity: ü Group of companies ü Several public authorities 5 -112020 | 52

QUESTIONS about organisational requirements for a DPO? 5 -112020 | 53

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

What are the expertise and skills of a DPO?

Expertise and skills of a DPO 1) 2) Required expertise of a DPO No regulated profession” = no standardised expertise Knowledge shall relate to the data processing operations carried out in the specific company, and the protection required for the processed data Professional qualities of a DPO Expertise in both national and European data protection laws and practices and an in-depth understanding of the GDPR. Knowledge of the business sector. 5 -112020 | 56

QUESTIONS about expertise and skills of a DPO? 5 -112020 | 57

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

How to become a DPO? 5 -112020 | 59

How to become a DPO? 1) 2) Requirements under the GDPR There are NO formal requirements on how to become a DPO under the GDPR. The only condition is that the expertise and skills must be there. It is the responsibility of the Controller or Processor to choose an appropriate DPO, otherwise – FINES are possible. Requirements for certification under national law National law cannot make any rules on who can be a DPO. BUT national law can set rules about certification of a DPO. Certification is not required under the GDPR, but can be a mean for a DPO to prove he or she possesses the necessary skills and expertise. Certification can also be a help for orientation for the hiring Controller/Processor. 5 -112020 | 60

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

How to choose a DPO? 5 -112020 | 62

How to choose a DPO? 1) External or internal DPO Principle: GDPR lets free choice whether the DPO is an internal employee or an external company/free-lancer 1) Full-time or part-time DPO Principle: GDPR lets free choice whether the DPO is employed full-time or part-time, as long as there is enough time for the DPO to full all tasks. 1) Contract of a DPO Principle: GDPR does not specify how the relationship between a DPO and the employing organisation whether internal or externally, shall be regulated. 5 -112020 | 63

Internal DPO ü Better insight into the company’s business and the ongoing processing activities External DPO ü More expertise and professionalism due to having many clients ü In a better position to set up a data protection compliance culture that fits the needs and the ways of the company ü Often has adequate insurance covering the consequences of a breach of obligation. ü DPO can be easier established as an internal contact point for all data protection questions, as in-house and already known. ü Autonomy is easier guaranteed, as there is no traditional employment relationship towards the processor or the controller. ü Recommended for: SMEs. ü Recommended for: large companies, group structures, entities carrying out high-risk data processing 5 -112020 | 64

QUESTIONS about how to choose a DPO? QUESTIONS about how to become a DPO? 5 -112020 | 65

Table of contents 1. What is a DPO? a) Designation of a DPO: When do I need a DPO? b) What does a DPO do? i. functions and activities ii. roles and competencies c) Organisational requirements for the DPO d) Expertise and skills of a DPO e) How to become a DPO? f) How to choose a DPO? g) Checklist DPO 2. Q&A 3. Wrap-up and feedback

Exercise - What questions do I need to ask myself when considering whether or not my company needs a DPO? • 5 -10 minutes to compose a list of questions, you think you need to ask yourself for your organisation to figure out whether you need a DPO. • Afterwards I will present my list to compare (and add to). • Aim: Comprehensive question list, that you can take with and use for the assessment whether or not you need a DPO. • Pre-question is given, and is: Is the GDPR applicable? (includes assessment if there is processing of personal data). Only if this question is answered with yes, you need the other questions. 5 -112020 | 67

Pre-question 1: Is the GDPR applicable? No assessment unnecessary Yes proceed to Q 1 Question 1: Are you a public authority? Yes DPO No Q 2 Question 2: Does your core activity consist of the processing of personal data on a large scale? No DPO needed. Yes Q 3 Question 3: Does the processed data include special categories of data or data about criminal convictions? Yes DPO No Q 4 Question 4: Does the processing amount to regular and systematic monitoring? Yes DPO No DPO needed according to the GDPR, check national laws and other Union laws whether they require a DPO 5 -112020 | 68

Evaluation and feedback Evaluation forms Attendance sheet 69

Credits 70