News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | GDPR conundrums: The data protection officer requirement Related reading: OCR issues rule for reproductive health care under HIPAA

rss_feed

""

""

One for all ... Maybe?

The General Data Protection Regulation introduces a general EU-wide obligation to appoint a data protection officer for controllers and processors involved in high-risk processing activities, i.e., where one of a company’s core activities is the large-scale monitoring of individuals or processing of sensitive data. This obligation has been one of the most debated and amended provisions in the legislative process of the GDPR. It was also one of the reasons the German government opposed the GDPR taking the form of a regulation as this would set aside the current German requirement for nearly all controllers to appoint a DPO.

The proposals truly flip-flopped:

  • From a mandatory requirement to appoint a DPO, which would override national requirements to appoint  a DPO in the Member States even if those requirements are stricter (Commission’s  initial proposal),
  • … to appointment of a DPO being fully voluntary (Council’s version),
  • … and ultimately to a mandatory requirement which does not override stricter national requirements for a DPO in the relevant Member State (the adopted version).

And:

  • From a very high threshold where the DPO requirements would only apply to large enterprises with more than 250 employees (Commission’s initial proposal), causing the WP29 to complain that the requirement would apply to only 40% of the companies in the EU;
  • … to a very low threshold whereby a DPO would be required for companies processing personal data of more than 500 individuals per year (Committee on Civil Liberties, Justice and Home Affairs of the Parliament’s version) making the requirement to appoint a DPO mandatory for nearly all companies and the threshold being increased to 5000 data subjects in any consecutive 12-month period (Parliament ‘s version);
  • … and ultimately to material criteria with no minimum threshold based on number of employees or individuals whose data are processed other than the requirement that the relevant processing activities must be large-scale.  

Given this history, it is worth discussing the final text in light of the various earlier proposals to see what the end result has delivered and whether after all of the proposals and fierce debate it is now finally clear when companies are required to appoint a DPO. Spoiler alert: I am not sure it is clear at all, and if we do not get clear guidance from the WP29, the current provision may potentially lead to companies appointing DPOs where it is not warranted.

The current requirements

The Data Protection Directive does not stipulate any obligation for controllers to appoint a DPO. Consequently, most of the corresponding national laws of the Member States, for example the UK implementation laws, do not make any mention of a DPO.

Nonetheless, the Directive provides a potential field of application for DPOs with significant practical impact. Under the Directive, as a rule any intended processing operation of personal data requires that the processing must be notified to the national data protection authority. However, Member States are free to allow exemptions from the aforementioned notification duty, inter alia, in the case of data controllers that appoint a DPO. As an internal supervisor, a DPO is supposed to ensure compliance with data protection law from within the organisation of the controller, which ultimately warrants a suspension of the preliminary notification duty.

This option has been implemented in a number of EEA countries, including Estonia, France, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Poland, Slovakia, Sweden, as well as in Switzerland, where appointment of a DPO is voluntary but can reduce or eliminate an organisation’s DPA notification obligations. Instead of notifying the DPA about its data processing systems, the company can “notify” its own DPO about its processing operations, and the DPO will maintain an internal registry. Only a few of the Member States have opted to make the appointment of a DPO mandatory, most notably, these are:

  • Germany: If more than ninepersons areconstantlyemployed in theautomatedprocessing ofpersonal data, or if 20 personsor more areemployed in non-automated processing ofpersonal data (e.g., HR personnel accessing personnel files).
  • Croatia: When an organisation has more than 20 employees, it must appoint a personal data “security officer” whose duties incorporate a wide range of data protection-related activities.
  • Hungary: Appointment of a DPO is mandatory in certain industries only, such as telecommunications providers and financial organisations.
  • Spain: Appointment of a security officer is mandatory when the personal data processed are subject to “medium-” and/or “high-level” security requirements. 

The GDPR

The GDPR requires controllers and processors to appoint a DPO when their core activities:

  • consist of data processing operations, which by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • consist of data processing on a large scale of special categories of data.

The requirement to appoint a DPO is mandatory in the GDPR, but other than in the initial proposal of the Commission, it does not set aside the national requirements of the Member States. This was clearly a concession to Germany in order to overcome its objections to the GDPR taking the form of a regulation and overriding its stricter national requirement of when to appoint a DPO. A group of companies may appoint a single DPO, provided such DPO is “easily accessible from each establishment.” It therefore seems possible to appoint a DPO (which is mandatory under German law) to also function as the “single DPO” for a group of companies under the GDPR.

What does “large scale” mean, exactly?

EU legislators have opted for two material requirements relating to types of processing activities without any minimum threshold regarding the number of employees of such company or the number of individuals whose data are being processed. This seems sensible, as it is very difficult to decide in advance whether a DPO is warranted based on the number of employees or the number of individuals whose data are being processed. A manufacturing company can, for example, have a substantial number of employees but perform no invasive data processing whatsoever; on the other hand, WhatsApp had at the time of its takeover by Facebook, only 55 employees and was processing an unprecedented amount of messages of individuals around the globe. Camera systems at a gas station may record visitors well above a threshold of 1500 individuals a year, while the processing itself is not invasive.

EU legislators ultimately settled on a requirement that the processing activities should be “large-scale,” which introduces a material threshold rather than an absolute minimum threshold. Note that there is currently little guidance on what large-scale processing means. The GDPR suggests that it means “processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects.”  However, it does not include the processing of personal data about patients or clients by an individual physician or lawyer (see Pre-amble 91). This guidance leaves a large grey area and therefore provides no guidance at all. 

In light of the widely diverting proposals on the minimum thresholds for appointing a DPO in the legislative process, it may well be that the views on what constitutes large-scale data processing for purposes of appointing a DPO may diverge as well, which may currently postpone the discussion rather than solve it.   

What constitutes “core activities”?

Organisations have to appoint a DPO if their “core activities” consist of regular and systematic monitoring of data subjects on a large scale or of processing sensitive personal data on a large scale (including processing information about criminal offences).

The recitals of the GDPR clarify that the core activities of an entity are a company’s primary activities and do not relate to the processing of personal data as an ancillary activity. Thus it is fair to assume that for example, the processing by controllers and processers of their own employee data does not qualify as a core activity, including large-scale processing of special categories of data (e.g., as part of an employee health program) or the regular and systematic monitoring of their employees (e.g., for purposes of data loss prevention). A similar conclusion would be justified if a company monitors wire payments and deposits for anti-money laundering purposes and verifies names against watch lists for anti-bribery, fraud or similar legal purposes, as these types of monitoring are not the core activity of such company, but ancillary.

The elephant in the room, however, is behavioural advertising, which without doubt qualifies as the “monitoring of behaviour of individuals.” By now most companies sell their services online and apply some form of behavioural advertising on their websites to tune the content of their websites and on-site advertising to the preferences of visitors. Advertising networks offering behavioural advertising services to their customers will perform such monitoring as a core activity and this will quickly fall within the definition of “large scale monitoring of individual.” But what if a company itself undertakes behavioural advertising to promote its products and services on its own website?

What constitutes the “monitoring of data subjects”?

The body of the GDPR does not define “monitoring of data subjects.” The criterion is also part of Article 3 of the GDPR, containing the applicability regime of the GDPR. The GDPR is also applicable if a controller or processor is not established in the EU processes where the processing activities are related to “the monitoring of the behaviour” of individuals in the EU “as far as their behavior takes place within the Union.”

The preamble of the GDPR relating to the scope of application, suggests that “monitoring of the behaviour of data subjects” refers to an organisation using online means to track and profile a data subject in the EU, particularly to make decisions concerning the data subject or analyse or predict his or her preferences, behaviours and attitudes.

See Preamble 26:

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Based on this guidance, the logical conclusion would be that monitoring of individuals would likely encompass online behavioural marketing for commercial purposes. Given the fact that most companies offering online services and products by now apply behavioural marketing, the consequence would be that all such companies should appoint a DPO for those reasons only, unless the relevant processing cannot be qualified as large-scale (e.g. if the company does not have many website visitors) or would not be considered to qualify as the company’s core activity. 

To solve the conundrum that all advertising of products and services qualify as core activities, which would lead to a DPO being required for most companies selling products and services online, I suggest the following solution: Whenever a company monitors individuals for purposes of behavioural marketing of its own products and services only, and does not also promote products and services of others and does not provide or sell its data to third parties for behavioural advertising purposes, I find it defendable that the relevant activity is not a core activity of the company as it does not generate its own revenues, but rather ancillary to its core activity of selling it products and services.

This may be different if a company applies behavioural profiling in order to make decisions concerning the individual (e.g., whether to offer a loan or grant a mortgage). In the latter case, profiling becomes an integral part of the offering of the services and products and would qualify as a core activity. The WP29 in its GDPR action plan has indicated that it will provide guidance on the DPO requirement as one of four priority subjects. Given the substantial obligations and investments required for companies to appoint a DPO, such guidance cannot come quickly enough. 

Author
Nonmember Contributor
Tags
Europe
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
IAB Europe responds to EDPB opinion on pay or consent
IAB Europe published a response to the European Data Protection Board's opinion on the legality of pay-or-consent models for obtaining valid consent to process personal data. IAB Europe said the opinion creates "legal uncertainty for many businesses beyond large online platforms" and the EDPB made "...
Read More queue Save This
UK NCSC updates cyber assessment framework
The U.K. National Cyber Security Centre updated its cyber assessment framework to include a focus on critical infrastructure vulnerabilities. It now includes sections on remote access, privileged operations, user access levels and multifactor authentication.Full story...
Read More queue Save This
EDPB publishes 2023 Annual Report
The European Data Protection Board issued its 2023 Annual Report. The report contains recaps of the EDPB's adoption of two binding decisions, as well as its urgent binding decision to order Meta to cease all processing of personal data in the European Economic Area.Full story...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Law
Privacy Operations Management
Recent Comments