Is not required to be designated in every organisation, but some organisations are required to designate one;
Can be designated voluntarily;
Monitors compliance with the GDPR by the entity that has designated him or her;
Serves as a point of contact for the supervisory authority and data subjects;
Is not liable for non-compliance with the GDPR requirements – that liability burdens the entity that designated him or her.
Valuable information on the DPO’s obligations can be found in the Article 29 Working Party's Guidelines on DPOs, adopted on 13 December 2016, and on the website of PUODO (the Polish Office for the Protection of Personal Data), in particular under the “For DPOs” tab.
Who is required to designate a DPO:
Not every controller or processor is required to designate a DPO. Under the GDPR, the obligation to designate a DPO exists where:
(a) The processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity;
(b) The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
(c) The core activities of the controller or the processor consist of processing, on a large scale, special categories of data referred to in GDPR Article 9(1) and personal data relating to criminal convictions and offences referred to in Article 10.
In our commentary, we will focus on the private sector, so let’s take a closer look at premises (b) and (c).
What is the main activity of the controller/processor?
According to GDPR Recital 97, in the private sector, the core activities of a controller relate to his or her primary activities and do not relate to the processing of personal data as an ancillary activity. The Guidelines indicate that we can talk about a controller's core activities if they are essential to achieve the controller's or the processor's objectives.
What does ‘large scale’ mean?
There is no definition in the GDPR. The WP 29 Guidelines recommend considering the following factors:
The number of data subjects - either as a specific number or as a proportion of the relevant population
The duration of the data processing activity
The geographical scope of the processing activity
The volume of data processed
However, the WP 29 Guidelines do not provide any specific figures - it is therefore difficult to assess when 'large scale' begins. The supervisory authorities of the European Union Member States also apply different numerical thresholds, in some cases further differentiated according to the categories of personal data processed. The Polish supervisory authority (PUODO) has not issued any guidance in this regard.
Selected examples of 'large-scale processing' from the WP 29 Guidelines:
Processing of patient data by hospitals
Processing of customer data by banks or insurance companies
Processing of personal data for behavioural advertising by a search engine
Processing of content, traffic or location data by telephone or internet service providers
What does ‘regular and systematic monitoring’ of data subjects mean?
There is no definition in the GDPR. The GDPR Recital 24 refers to the monitoring of individuals' behaviour itself, indicating that consideration must be given to whether natural persons are tracked on the internet, including whether personal data processing techniques involving profiling of the individual are used, in particular in order to make decisions concerning the individual or to analyse or predict the individual's personal preferences, behaviours and attitudes. However, the WP 29 Guidelines make it clear that this should not be limited to the online environment.
The WP 29 Guidelines provide the following examples of activities that may constitute regular and systematic monitoring of data subjects:
Operating a telecommunications network
Providing telecommunications services
Email retargeting
Data-driven marketing
Profiling and scoring for purposes of risk assessment (e.g. credit risk assessment, insurance premium setting, fraud prevention, money laundering detection, etc.)
Location tracking, for example through mobile applications
Loyalty programmes
Behavioural advertising
Wellness, fitness and health monitoring via wearable devices
Closed circuit TV
Connected devices, e.g. smart meters, smart cars, home automation, etc.
Voluntary designation of the DPO
Even if an entity is not required to designate a DPO under the GDPR, it may do so voluntarily. However, if the entity decides (without having to designate a DPO under the GDPR) to designate another position responsible for personal data issues, the entity should, according to the Guidelines, clearly communicate that the person in that position does not have DPO status under the GDPR.
Documenting the need or not to designate a DPO
For accountability purposes, the entity should document that an assessment has been made as to whether or not it is necessary to designate a DPO. As the entity's situation may change, it is recommended that such an assessment be repeated from time to time.
Can a group of undertakings designate a single DPO?
A group of undertakings may appoint a single DPO provided that he or she is easily accessible from each entity. Each entity in the group for which a DPO has been designated should inform the supervisory authority of the designation of a DPO for that entity. The function of the DPO may be performed by a foreigner, but the controller is obliged to ensure efficient and effective communication in Polish between the DPO, the supervisory authority and the data subjects.
PUODO notes that the assessment of how many entities can be served by one DPO will depend, inter alia, on:
The effective availability of the DPO
The possibility for him or her acquiring detailed knowledge of the activities of the entity
Ensuring that he or she has a time commitment commensurate with the scope of the tasks and the specificity of the data processing
The need to avoid conflicts of interest
The size and organisational structure of the unit acting as data controller
It should be noted, as confirmed by PUODO, that it is permissible for several controllers to designate a single person, even outside the group of companies.
What knowledge and skills should the DPO have?
According to the GDPR, the DPO is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice, and the ability to perform the tasks set out in GDPR Article 39. Importantly, according to Recital 97 of the GDPR, the required level of expertise should be determined according to the data processing operations carried out and the protection required by the personal data processed by the controller or processor. According to the Guidelines, the level of expertise of the DPO must be commensurate with the sensitivity, complexity and volume of data processed by the entity in which he or she is designated. Thus, a higher level of expertise and support will be required if the entity in question processes a large amount of special categories of data.
Does the DPO have to be an employee of the controller or processor?
The GDPR states that the DPO may be an employee of the controller or processor, or may perform tasks on the basis of a service contract. This means that the DPO may be employed under an employment contract or a civil law contract. The form of cooperation of the DPO will affect the scope of his or her potential responsibilities. According to the Guidelines, a service contract may be concluded not only with a natural person, but also with another entity outside the controller’s or processor's organisation. However, it should be noted that, according to PUODO, the DPO himself must be a natural person. A legal person cannot be designated as DPO.
Formalities relating to the designation of the DPO
According to the GDPR, the controller or the processor must publish the contact details of the DPO and notify them to the supervisory authority. Below we present the main formalities for the designation of the DPO, taking into account the additional requirements of the Data Protection Act introduced by the Polish legislator.
Notifying PUODO of the designation of a DPO
Notification to PUODO of the designation of a DPO should be made within 14 days. In particular, the notification should indicate the full name and e-mail address or telephone number of the DPO.
What to consider:
The notification should be made using the official form available on the PUODO website. The notification must be in electronic form and bear a qualified electronic signature or a signature confirmed by the ePUAP trusted profile.
The notification may be submitted by an authorised representative. It should be accompanied by a power of attorney issued in electronic form.
The entity that has designated a DPO shall make the DPO’s details (name and e-mail address or telephone number) available on its website immediately after the designation.
What to consider:
If the entity does not maintain its own website, the DPO’s details should be made available in a manner that is generally accessible at the place of business.
Need to update
The entity that designated the DPO will notify PUODO of any changes to the information contained in the notice of designation or revocation of the DPO within 14 days.
What to consider:
The notification should be made using the official form available on the PUODO website. The notification must be in electronic form, It must be accompanied by a qualified electronic signature or a signature confirmed by an ePUAP trusted profile.
The notification may be submitted by an authorised representative. It should be accompanied by a power of attorney issued in electronic form.
Who should notify PUODO of the revocation of the DPO in case of liquidation of the controller?
According to PUODO, if the controller has not notified PUODO of the revocation of the DPO, this may be done by the entity that is the legal successor of the controller and has assumed the rights and obligations of the liquidated entity.
Deputy DPO
The Polish legislator has introduced the possibility for the entity that has designated the DPO to appoint a deputy for the period of the DPO's absence. The designation of the deputy should take into account the criteria mentioned in GDPR Article 37(5) and (6) (professional qualifications and form of cooperation). The provisions relating to the DPO shall apply mutatis mutandis to the deputy DPO performing the duties of the DPO. The notification to PUODO of the designation of the deputy DPO should follow the same procedure as for the designation of the DPO (described in Section 7 above), using a dedicated form. In the case of the Deputy DPO, it is also necessary to publish his or her personal details on the website of the entity that has designated him or her.
The DPO in PUODO's field of interest
PUODO pointed out that, in practice, the irregularities concerning the DPO mainly related to:
Failure to publish the name of the DPO on the controller's website
Failure to update the DPO’s details on the controller's website
Adopting procedures that burden the DPO with duties that create a conflict of interest
Specifying in the organisational rules that the DPO can be dismissed at any time
Reasons for dismissing the DPO
Incorrect positioning of the DPO in the organisational structure of the controller - the DPO did not report directly to the top management
Failure to provide the DPO with sufficient time and other resources necessary to carry out his or her duties
Failure to provide the DPO with financial and infrastructural support and the opportunity to update knowledge
Bypassing the DPO on matters relating to the processing of personal data (including on matters where controllers have sought the opinion of PUODO without first seeking the DPO’s opinion)
At the same time, PUODO indicated that it had developed the following set of questions concerning the DPO:
Has a DPO been designated at the controller?
Is the controller obliged to designate a DPO (if so, on what legal basis?) or has a DPO been designated in the absence of such an obligation?
Has the controller published the full name and contact details of the DPO on its website or, if it does not maintain a website, in a manner generally available at its place of business?
Is the above information available in a publicly accessible location (please indicate the location; in the case of a website, please provide the address and a link to this information)?
Is the DPO an employee of the controller and, if not, on what legal basis does he or she perform his or her duties?
Has the DPO been designated exclusively by the controller or does he or she also perform his or her duties for other controllers?
On what basis has the controller designated the DPO (e.g. training, experience, knowledge)?
What necessary resources, as referred to in Article 38(2) of Regulation 2016/679, does the controller provide to the DPO?
How does the controller provide the necessary resources to maintain the expertise of the DPO?
What is the PO’s position and to whom does he or she report within the organisational structure of the controller?
Has the controller designated a deputy DPO and if so, when?
Does the controller have a DPO team or any other form of ongoing support for the DPO in the performance of his or her duties?
How does the controller ensure that the DPO is involved, properly and in a timely manner, in all matters relating to the protection of personal data (for example, whether rules have been developed on what matters are to be consulted with the DPO, who should consult the DPO and in what situations, whether and under what conditions the DPO attends management meetings)?
How does the controller provide the DPO with access to personal data and processing operations?
Has the controller adopted internal rules governing the functioning of the DPO (in particular to ensure compliance with the guarantees of his or her independence and powers as regards access to personal data and processing operations, involvement in all matters relating to the protection of personal data, avoidance of conflicts of interest, etc.) and, if so, in which internal act have they been provided for?
How does the controller ensure that the DPO is not instructed on how to carry out his or her duties?
How does the controller ensure that the DPO is not punished or dismissed for the performance of his or her duties?
How does the controller deal with situations where he or she does not follow the instructions or recommendations of the DPO? For example, does he or she document the reasons for not following these instructions?
How can data subjects contact the DPO in accordance with Article 38(4) of Regulation 2016/679?
Does the DPO have any other duties or functions in addition to his or her data protection duties? If so:
Which DPO functions and other tasks does he or she performs, and how much time do they take up?
How has the controller assessed that there is no conflict of interest in the performance of each of these duties, in accordance with Article 38(6) of Regulation 2016/679?
In performing other tasks, does the DPO report to anyone other than the controller's senior management?
Has the controller developed a policy on the management of conflicts of interest or put in place any other mechanism to ensure that conflicts of interest do not arise?
Does the DPO perform his or her duties only on the premises of the controller? If not, where and how is the DPO's permanent availability to the controller's management and staff ensured?
Has the DPO developed (or regularly develops) a plan for his or her work, e.g. in terms of training or audits?
Has such a plan been submitted to the controller so that an assessment can be made as to whether the DPO has sufficient resources and authority in the areas covered by the DPO?
How often and in what way does the DPO communicate the results of data processing audits to the controller?
Has the controller asked the DPO to make recommendations on the data protection impact assessment and, if so, in what situations?
Does the controller supervise the work of the DPO and, if so, in what way?
Commentary to art. 37
A Data Protection Officer (“DPO”):
Valuable information on the DPO’s obligations can be found in the Article 29 Working Party's Guidelines on DPOs, adopted on 13 December 2016, and on the website of PUODO (the Polish Office for the Protection of Personal Data), in particular under the “For DPOs” tab.
Who is required to designate a DPO:
Not every controller or processor is required to designate a DPO. Under the GDPR, the obligation to designate a DPO exists where:
(a) The processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity;
(b) The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
(c) The core activities of the controller or the processor consist of processing, on a large scale, special categories of data referred to in GDPR Article 9(1) and personal data relating to criminal convictions and offences referred to in Article 10.
In our commentary, we will focus on the private sector, so let’s take a closer look at premises (b) and (c).
What is the main activity of the controller/processor?
According to GDPR Recital 97, in the private sector, the core activities of a controller relate to his or her primary activities and do not relate to the processing of personal data as an ancillary activity. The Guidelines indicate that we can talk about a controller's core activities if they are essential to achieve the controller's or the processor's objectives.
What does ‘large scale’ mean?
There is no definition in the GDPR. The WP 29 Guidelines recommend considering the following factors:
However, the WP 29 Guidelines do not provide any specific figures - it is therefore difficult to assess when 'large scale' begins. The supervisory authorities of the European Union Member States also apply different numerical thresholds, in some cases further differentiated according to the categories of personal data processed. The Polish supervisory authority (PUODO) has not issued any guidance in this regard.
Selected examples of 'large-scale processing' from the WP 29 Guidelines:
What does ‘regular and systematic monitoring’ of data subjects mean?
There is no definition in the GDPR. The GDPR Recital 24 refers to the monitoring of individuals' behaviour itself, indicating that consideration must be given to whether natural persons are tracked on the internet, including whether personal data processing techniques involving profiling of the individual are used, in particular in order to make decisions concerning the individual or to analyse or predict the individual's personal preferences, behaviours and attitudes. However, the WP 29 Guidelines make it clear that this should not be limited to the online environment.
The WP 29 Guidelines provide the following examples of activities that may constitute regular and systematic monitoring of data subjects:
Voluntary designation of the DPO
Even if an entity is not required to designate a DPO under the GDPR, it may do so voluntarily. However, if the entity decides (without having to designate a DPO under the GDPR) to designate another position responsible for personal data issues, the entity should, according to the Guidelines, clearly communicate that the person in that position does not have DPO status under the GDPR.
Documenting the need or not to designate a DPO
For accountability purposes, the entity should document that an assessment has been made as to whether or not it is necessary to designate a DPO. As the entity's situation may change, it is recommended that such an assessment be repeated from time to time.
Can a group of undertakings designate a single DPO?
A group of undertakings may appoint a single DPO provided that he or she is easily accessible from each entity. Each entity in the group for which a DPO has been designated should inform the supervisory authority of the designation of a DPO for that entity. The function of the DPO may be performed by a foreigner, but the controller is obliged to ensure efficient and effective communication in Polish between the DPO, the supervisory authority and the data subjects.
PUODO notes that the assessment of how many entities can be served by one DPO will depend, inter alia, on:
It should be noted, as confirmed by PUODO, that it is permissible for several controllers to designate a single person, even outside the group of companies.
What knowledge and skills should the DPO have?
According to the GDPR, the DPO is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice, and the ability to perform the tasks set out in GDPR Article 39. Importantly, according to Recital 97 of the GDPR, the required level of expertise should be determined according to the data processing operations carried out and the protection required by the personal data processed by the controller or processor. According to the Guidelines, the level of expertise of the DPO must be commensurate with the sensitivity, complexity and volume of data processed by the entity in which he or she is designated. Thus, a higher level of expertise and support will be required if the entity in question processes a large amount of special categories of data.
Does the DPO have to be an employee of the controller or processor?
The GDPR states that the DPO may be an employee of the controller or processor, or may perform tasks on the basis of a service contract. This means that the DPO may be employed under an employment contract or a civil law contract. The form of cooperation of the DPO will affect the scope of his or her potential responsibilities. According to the Guidelines, a service contract may be concluded not only with a natural person, but also with another entity outside the controller’s or processor's organisation. However, it should be noted that, according to PUODO, the DPO himself must be a natural person. A legal person cannot be designated as DPO.
Formalities relating to the designation of the DPO
According to the GDPR, the controller or the processor must publish the contact details of the DPO and notify them to the supervisory authority. Below we present the main formalities for the designation of the DPO, taking into account the additional requirements of the Data Protection Act introduced by the Polish legislator.
Deputy DPO
The Polish legislator has introduced the possibility for the entity that has designated the DPO to appoint a deputy for the period of the DPO's absence. The designation of the deputy should take into account the criteria mentioned in GDPR Article 37(5) and (6) (professional qualifications and form of cooperation). The provisions relating to the DPO shall apply mutatis mutandis to the deputy DPO performing the duties of the DPO. The notification to PUODO of the designation of the deputy DPO should follow the same procedure as for the designation of the DPO (described in Section 7 above), using a dedicated form. In the case of the Deputy DPO, it is also necessary to publish his or her personal details on the website of the entity that has designated him or her.
The DPO in PUODO's field of interest
PUODO pointed out that, in practice, the irregularities concerning the DPO mainly related to:
At the same time, PUODO indicated that it had developed the following set of questions concerning the DPO: