- 29 Dec 2016
Some large companies already call upon one or more persons who check that the company complies with data protection rules. When the General Data Protection Regulation (GDPR) enters into force on 25 May 2018, certain employers will be obliged to appoint a “data protection officer”.
1 To which organisations does this obligation apply?
The appointment of an official is obligatory for:
public authorities, with the exception of judicial institutions in the performance of their judicial tasks;
private sector organisations which:
either have a core activity that consists in processing activities that require large-scale, recurrent and systematic observation of the parties involved;
or are primarily charged with processing sensitive data on a large scale.
In the private sector there is thus no obligation if personal data are only being processed as a secondary activity. The exact scope is to date not entirely clear. It remains to be seen whether for example financial institutions, social secretariats and insurance companies are also to be included.
In any case, the Article 29 Working Group, assumes in its guidelines (cf. point 5) that supportive standard IT- or payroll activities are no core activities, even though these activities are crucial or essential for the organisation. In case of doubt, it is recommended that you justify in writing your decision not to appoint a data protection officer.
Furthermore, the GDPR grants Member States the option to extend the scope of the obligation to appoint an official. Time will tell whether the Belgian legislator will make use of this possibility.
2 Who can be appointed as an official?
The official has to be an expert in the field of data protection legislation and practice. This may be a staff member or an independent service provider. Even though the GDPR does not mention this explicitly, it is in our view not excluded that a legal entity could be appointed as an official.
Within a company, it is possible to appoint just one official, upon condition that the person is easy to contact from each branch.
3 What are the official’s tasks?
The official has to:
inform and advise the employer and the employees regarding their obligations within the framework of the data protection legislation;
supervise compliance with the data protection legislation and with the employer’s data protection policy;
give advice if the employer has to perform a preliminary “data protection impact assessment” for certain processing operations which are considered to be more sensitive, and to oversee the execution of the assessment;
cooperate with the Privacy Commission and to act as a point of contact.
4 What is the official’s position within the organisation?
The official reports to the highest management level and has to be able to carry out this role independently; therefore no instructions may be given to the official regarding the performance of these tasks. Although the official can fulfil other tasks and duties, care must be taken that there is no conflict of interests.
The official is also bound by secrecy or confidentiality and must be involved duly and in a timely fashion in all matters of data protection and obtain all means necessary to do the job. Any party may contact the official with regard to the processing of their data and with regard to the execution of their rights within the framework of the GDPR.
It is important to note that the official cannot be dismissed or sanctioned by the employer for reasons that are linked to the official’s performance as a data protection officer.
5 A useful tool: the guidelines of the Article 29 Working Group
On 13 December 2016, the Article 29 data protection Working Group adopted guidelines regarding the official. Due consideration was given to the previous experience of member states (e.g., Germany and Hungary, where the legislation already requires the appointment of an official) and to the code of conduct that they currently apply.
The guidelines of the Article 29 Working Group include several clarifications and recommendations in order to help organisations comply with the new obligations regarding the official. However, they are not binding.
The guidelines can be consulted here.