Chapter 4: GDPR Data Protection Officer and GDPR EU Representative

GDPR Data Protection Officer and GDPR EU Representative

The GDPR is enforced at several different levels:

• At the top, we have the Data Protection Authorities, who enforce the law at the national level in each EU Member State.
• At the base level, individual data subjects can enforce protection of their own personal data, by exercising their data subject rights and bringing claims against data controllers and data processors.

In this chapter, we'll be introducing two roles that are also important in the context of enforcing the GDPR.

• The Data Protection Officer (DPO) - DPOs are appointed by certain organizations to ensure compliance with the GDPR within the organization itself.
• The EU Representative - EU Representatives are appointed by organizations based outside of the EU. They can be held accountable by a Data Protection Authority if a non-EU organization fails to comply with the GDPR.

We're going to look at whether you need to appoint someone to either of these roles within your company; and, if so, how you can go about doing this.

GDPR Data Protection Officer

The GDPR sets out the role and status of the DPO at Articles 37-39, and provides some further information at Recital 97.

What Does a Data Protection Officer Do?

The DPO has certain tasks under the GDPR, including:

• Advising staff within an organization on matters of data protection, and how they can comply with the GDPR
• Monitoring compliance with the GDPR within the organization, and monitoring compliance with that organization's own data protection policies
• Assigning responsibilities for particular data processing activities to staff within the organization
• Providing training and raising awareness about how to comply with the GDPR
• Conducting or co-ordinating data protection audits
• Helping with and monitoring the carrying out of Data Protection Impact Assessments
• Cooperating and liaising with the Data Protection Authority

You can think of the DPO as the go-to person for data protection matters within an organization. If you have any questions about how to comply with the GDPR, or how to carry out a particular act of data processing, the DPO would be your first port of call.

Can Anyone Be a Data Protection Officer?

A DPO isn't required to have any specific qualification or level of experience in the field of data protection. However, the GDPR does have certain requirements regarding who can take up this role.

A DPO may work within your company (an existing employee can take up this role), or they may be an external contractor. They must:

• Be chosen on the basis of their "professional qualities"
• Have an "expert knowledge" of data protection law and practice
• Be capable of carrying out the tasks listed in the section above

Note that it may be possible to train someone within your company so that they meet these specifications.

What is the Status of a Data Protection Officer Within a Company?

Given the importance of the tasks that the DPO is required to carry out, they hold a particularly important place within a company.

Here's what the GDPR has to say about a DPO's status.

The DPO might be someone who already has a full-time job within your company. However, the GDPR states that a DPO must:

• Be completely independent when carrying out their tasks
• Not be dismissed or otherwise disciplined for an action taken in the course of their duties as DPO
• Report to the very highest level of management within the company
• Not be asked to carry out any other tasks within the company that might bring present them with a conflict of interest (e.g. the Head of Human Resources might not be an appropriate person to fulfill the role of DPO as their job requires a lot of data processing)
• Be consulted as soon as possible in all matters relating to data protection
• Be given sufficient time to carry out their duties effectively
• Receive a budget that is sufficient to allow them to carry out their tasks

Does Your Company Need to Appoint a Data Protection Officer?

Not all companies are required to appoint a DPO. Certain criteria are laid out in the GDPR.

Appointing a DPO is mandatory if your company:

• Is a public authority or body. There is no guidance in the GDPR as to what constitutes a public authority or body. The Article 29 Working Party suggests that this might include utilities companies, transport services, and public broadcasters.
• Processes special category data or criminal conviction data on a large scale as part of its core activities.
• Engages in regular and systematic monitoring of individuals on a large scale as part of its core activities

This last point is likely to be the most relevant to developers or web and software development companies.

Let's break this specification down.

Monitoring

"Monitoring" is defined at Recital 24 of the GDPR. It can include where an individual is "tracked on the internet," and where any personal data collected via this tracking is used in order to make decisions about them or predict their personal preferences.

This includes behavioral advertising, such as personalized ads, retargeting and remarketing campaigns.

Regular and Systematic

According to the Article 29 Working Party, "regular and systematic" could mean:

• Ongoing at regular intervals over a fixed period
• Constant
• Organized and methodical
• Part of a general plan or strategy to collect personal data

Large Scale

To determine whether your monitoring is "large scale," consider:

• The number of individuals whose personal data is processed
• How much personal data you're processing
• How far-reaching the processing is

It is possible for a very small team of people to process a very large amount of personal data.

Core Activities

"Core activities" is not defined in the GDPR. But the Article 29 Working Party is on hand again to interpret this for us.

Here are some examples of activities that would probably not form part of your core activities:

• Paying your staff
• Monitoring staff sickness
• Keeping a newsletter mailing list

Although these tasks involve processing personal data, sometimes even sensitive data, they are ancillary activities that merely support your main business operations. Core activities are those that are essential for you to carry out in pursuit of your company's main goals. They are the important, primary activities of your company.

Examples

You will have to decide whether to appoint a DPO based on the unique circumstances of your company. But remember that it's better to have a DPO and not need one than to need a DPO and not have one. The latter case would be an infringement of the GDPR. Some companies do appoint a DPO voluntarily.

The GDPR is characteristically light on examples of when a DPO might be necessary. But based on the analysis above, let's consider some instances of the sorts of development projects for which it would be appropriate to nominate a DPO.

Your company may need to appoint a DPO if it's involved in developing an instant messaging or social networking app.

People might use an instant messaging or social networking app to transmit highly sensitive personal data of a revealing, private or intimate nature. People might send each other bank details, love letters, information about their health status - you really can't be too careful if you're controlling or developing this sort of app.

For example, Snap, owner of Snapchat, has a DPO:

You should also consider appointing a DPO if your company develops apps or devices that reveal precise (or "fine") location data. Processing "coarse" location data is less sensitive and would not in itself require the appointment of a DPO.

For example, Garmin, which makes GPS receivers and processes large amounts of location data, has a DPO:

You may need to appoint a DPO if involved in the development of apps or hardware for wearable devices that process health, fitness or wellbeing data.

Whilst the law makes a distinction between "health data" (which is "special category" data) and "fitness data" (such as step counts, heart rate, workout information), you must treat both types of personal data carefully.

For example, Fitbit which tracks health and activity-related data, has a DPO:

You might require a DPO if conducting large-scale email remarketing and other behavioral advertising campaigns.

For example, retargeting provider Criteo has a DPO:

This is particularly important where there is some sensitivity to the type of product on offer (e.g. where it is related to health conditions, political views, sex life, etc.), and where these form part of a company's "core activities."

Companies involved in developing apps, software or hardware for smart home devices may need to consider appointing a DPO.

Miele manufactures domestic appliances, some of which are connected to the Internet of things. Miele has a DPO:

National Law

It's important to note that some EU countries, for example, Germany, impose a stricter requirement for appointing a DPO than is contained in the GDPR. You must check the local and national laws of the countries in which your company operates before making a decision about whether to appoint a DPO.

Appointment of a Data Protection Officer Letter

If your company needs to appoint a DPO, you should do so in writing. This requires an appointment letter.

Your appointment letter must include details of:

• The name of your company and your DPO
• The date and term of the appointment (if applicable)
• The DPO's tasks
• The DPO's status within your company

GDPR EU Representative

We've spoken a lot about how even non-EU companies are required to comply with the GDPR. This section will be important for you if your company is based outside of the EU and meets the criteria for GDPR compliance discussed in previous chapters.

The GDPR can be straightforwardly enforced on non-EU companies if the company has some offices or bases in the EU. For example, Google has an EU headquarters in Ireland.

But it's less straightforward to enforce the GDPR on companies who have no presence in the EU whatsoever.

This is where an EU Representative comes in.

What Does a GDPR EU Representative Do?

The appointment of an EU Representative is one of the ways that such companies can be held responsible for complying with the GDPR. An EU Representative is based in an EU country and can, therefore, be brought before an EU court.

An EU Representative has fewer active duties than a DPO. They are responsible for:

• Acting as the main point of contact for individuals and Data Protection Authorities in the EU
• Keeping records of certain data processing activities in the EU, if the company is required to do so under Article 30 (we looked at this obligation in the previous chapter)
• Cooperating with Data Protection Authorities in the event of a data breach or an allegation of infringement of the GDPR

Can Anyone Be an EU Representative?

An EU Representative must have have the following attributes:

• They must be established with some legal presence in one of the EU countries
• They must be able to speak the language of the country in which they are established, or at least speak one of the official EU languages
• They cannot act as DPO and EU Representative for the same company

Other than this, you're basically free to choose whoever you wish to represent you in the EU. It might be an individual or a corporation.

What is the Status of an EU Representative Within a Company?

Like a DPO, an EU Representative can either work directly for your company, or they can be an external contractor.

An EU Representative can represent multiple companies at once. There are some agencies which provide EU Representatives.

The EU Representative isn't afforded the same independence and authority as a DPO. They must, however, be granted sufficient resources and have sufficient availability to carry out their duties.

Does Your Company Need to Appoint an EU Representative?

If your company is not established in the EU, the threshold for appointing an EU Representative is much lower than the threshold for appointing a DPO.

It is mandatory to appoint an EU Representative unless:

1. Your company is a public body
2. Your company only processes personal data in a way that is occasional, is unlikely to result in a "risk to rights and freedoms," and
3. Does not involve a large amount of special category or criminal conviction data

"Non-occasional" processing is a much lower threshold than the "regular and systematic" monitoring on a "large scale" that is a prerequisite of appointing a DPO.

It's also worth noting that any company carrying out processing which is high-risk or involves special category data or criminal conviction data would still need to appoint an EU Representative, even if processing is "occasional."

This will cover a lot of companies. The reality is that if you're likely to receive inquiries from your EU-based data subjects, it's appropriate to field these inquiries through an EU Representative.

Examples

No examples of the sorts of companies that might need to appoint an EU Representative are provided by the GDPR.

The requirement is so broad that it's not really to consider what types of companies would need to appoint an EU Representative. Instead, let's take a look at some examples of real companies who have made this appointment. All of these examples are of companies whose main product or service involves some web or software development.

Urbandroid is an app developer based in Switzerland (a non-EU country). Urbandroid's portfolio of apps includes sleep tracking, translation and alarm apps. Urbandroid has appointed an EU Representative:

Product Hunt is a website for tech enthusiasts to share information about new product releases. Product Hunt has appointed an EU Representative:

HR Acuity provides a web-based SaaS Human Resources product. HR Acuity has appointed an EU Representative:

Serpstat is an SEO platform established in Seychelles. Serpstat has appointed an EU Representative:

Appointment of an EU Representative Letter

The GDPR requires that you appoint your EU Representative via a "written mandate." This can be a letter which sets out the terms of the appointment and makes everything official.

Your appointment letter should include:

• The effective date of the appointment
• The name and contact details of your company and your EU Representative
• The tasks of the EU Representative as listed above

When considering the country in which your EU Representative should be based, try to choose the country where the majority of your EU users reside. If your website is written in English, this is likely to be the UK or Ireland. If you only export to Germany, then your EU Representative should be established there.

Updating Your Privacy Policy

If you're required to appoint either a DPO or an EU Representative, you must make sure people know how to contact them. This includes updating your company's Privacy Policy to include their name and contact details.

Here's how Encyclopaedia Britannica has listed both its DPO and the EU Representative in its Privacy Policy:

Key Takeaways from This Chapter

In this chapter we've looked at another two important characters in the GDPR: the Protection Officer (DPO) and the EU Representative.

You should appoint a DPO if your company:

• Is a public body
• Processes large amounts of sensitive personal data as part of its core activities
• Regularly and systematically monitors people's behavior on a large scale as part of its core activities

You should appoint an EU Representative if your company:

• Is not established in the EU
• Is not a public body
• Processes personal data on a non-occasional basis
• Processes personal data even on an occasional basis, if that processing involves sensitive personal data and could present a risk to individuals