Contact
Grzegorz Gęborek

Attorney at law (Poland)
Senior Associate
Phone: +48 32 721 24 22
E-Mail

According to Recital 4 GDPR, the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This also applies to the understanding of the tasks and role of the Data Protection Officer in an organisation – a new function introduced by the General Data Protection Regulation (GDPR).

Is a DPO necessary in your organisation?

Article 37 of the GDPR lists the situations where the data controller and the processor (on behalf of the controller) must designate a DPO and the failure to designate one is subject to an administrative fine. The DPO is mandatory where: 

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; 
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR (sensitive data revealing e.g. origin, health condition, political opinions, beliefs) and personal data relating to criminal convictions and offences referred to in Article 10.

Most enterprises operating in Poland and the EU will not need to designate a data protection officer. In many, the role will be optional, so it is worth knowing the benefits. 

Beyond doubt, as a watchman of data protection processes a DPO in every organisation will be responsible not only for the observance of the GDPR but also for the compliance of the enterprise's activities and functioning with other data protection laws. A DPO will not only safeguard the protection of data processed by the controller or processor. His duties will include regular in-house audits to obtain information on personal data processing and reveal any irregularities in the organisation. The function may be performed by a member of the controller's or the processor's staff or by a third party professional who, in addition to safeguarding the data processing, will also be able to check other processes in the organisation (e.g. financial, IT, logistics).

Does it make sense to appoint a data protection officer if the law does not require it? Will the DPO indeed be entitled to take other actions in addition to personal data protection?

DPO and the Article 29 Working Party

The Article 29 Working Party is an independent advisory body established on the basis of Article 29 of Directive 95/46/EC. The Working Party's guidelines say clearly that a data protection officer may facilitate compliance and help increase the enterprise's competitiveness. The DPO is to ensure compliance by means of accountability mechanisms and to liaise among all interested parties (e.g. data protection authority, data subjects and enterprise departments). 

One of the good practices promoted by the Working Party is to designate a DPO to supervise the activities of entities towards which the processor is a data controller (e.g. providers of HR, IT, logistics services contracted by the data controller).

This suggests that the role and tasks of the DPO do not boil down to safeguarding the controller's (or processor's) compliance with the GDPR and other rules and regulations on data protection, but extend also to other actions to monitor processes in an organisation.

Other duties of the Data Protection Officer

Following Article 38(6) of the GDPR, the Article 29 Working Party explains that a Data Protection Officer, who e.g. belongs to the organisation, may fulfil other tasks and duties, but they must not result in a conflict of interests. They emphasise that a Data Protection Officer may not occupy a role in which he defines the methods and purposes of data processing.

Consequently, on one hand, a DPO is deeply embedded in the GDPR realm, but on the other hand (especially while undertaking other tasks for the controller or processor) he operates outside the GDPR and the DPO's activities may help to e.g. increase business efficiency of the controller or administrator to improve their competitive edge.

Rödl & Partner experts are at your service if you are interested in this subject or any other changes that the GDPR may bring.

29.03.18