The Data Protection Officer : a new job provided by the new General Data Protection Regulation
The new General Data Protection Regulation (GDPR) has been adopted by the European Parliament on 14th April 2016. If for companies, the Regulation will simplify paperwork, in particular by the establishment of a supervisory authority, it will however increase the internal procedures by imposing the appointment of a Data Protection Officer.
The Regulation provides that the data controller will automatically designate a « Data Protection Officer » («DPO ») (French CIL) in certain circumstances, including:
- When the treatment is performed by a legal person and covers more than 5000 people involved over a period of twelve consecutive months; core activities of the data controller or the subcontractor consist of treatments which, because of their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects;
- Or when the core activities of the data controller or the subcontractor consist in treating special categories of data referred to in Article 9, paragraph 1, location data or data relating to employees in large-scale computer files.
What provides the GDPR
Article 37.6 states that the Data Protection Officer can be an employee of the data controller or the subcontractor or perform its duties based on a service contract when the data controller would favor an external officer.
Article 37.7 says that the controller or the processor publishes the contact information of the Data Protection Officer and communicates it to the supervisory authority.
Article 38 deals with the duties of the Data Protection Officer. It stipulates that « the controller and the processor helps the Data Protection Officer to carry out the tasks referred to in Article 39 by providing the necessary resources to perform these tasks, and access to data and processing operations, and allowing it to maintain its expertise. «
Article 38 of the European regulation specifies that the Data Protection Officer is appointed based on his professional qualities and, in particular, its specialized knowledge of the law and practice in data protection and capacity to perform the tasks referred to in Article 39.
Requirements for the DPO
If no specific degree is required, the Regulation reinforces the need for training. The Correspondant Informatiques et Libertés Guide published by the Commission nationale de l’informatique et des libertés (CNIL) also notes that « when the CIL does not have all the qualifications required at the time of his appointment, he will have to acquire it. »
The job requires legal, technical (to interact with the computer scientists and keep a critical mind), organizational and communication skills. The knowledge required must also cover the area of activity in which the Data Protection Officer performs his duties. Thus CIL knowledge must also concern laws specifically applicable to the entity.
Although during the debate in the Council, it was expected that the controller or the processor shall designate a Data Protection Officer for a minimum of four years in the case of an employee or two years in the case of an external provider, the Regulation is silent on the period of the appointment of the DPO and the end of his mission.
The Data Protection Officer must be accountable only « at the highest level of the Head of the controller or subcontractor », and should receive « no instructions regarding the performance of its duties « .
A job on which companies will have to rely
In this way, CNIL calls for the appointment of « Resort CIL is now the best way for a company or an administration to prepare for the General Data Protection Regulation and in this context come to be mandatory in many cases in 2018.»
According to Article 83, which specifies the terms and conditions for the imposition of administrative fines, failure to appoint a Data Protection Officer by a data controller concerned, intentionally or negligently; will rise « up to 10 million or, in the case of an enterprise up to 2% of total global annual turnover of the previous year. »
Therefore, appoint a Data Protection officer could be useful for large structures, with a significant amount of services and departments with authority to implement a processing of personal data, that experience some difficulty identifying these treatments and recording them in their registry. The DPO will be the person who keeps and updates the registry.
An entry in the register should always be subject to prior consultation of the Data Protection Officer to ensure the conformity of treatment with the GDPR or any other provision of law applicable to the protection of personal data.
Etudiant en master 2 Droit de l’économie numérique à l’Université de Strasbourg