Short Reads

The External DPO: Controller or Processor?

The External DPO: Controller or Processor?

The External DPO: Controller or Processor?

10.04.2018 NL law

The upcoming General Data Protection Regulation (GDPR) has caused many companies intense compliance headaches due to its comprehensive scope, far-reaching obligations and severe penalties. However, the new rules have also brought about a range of new economic opportunities, in particular through the creation of the roles of  Data Protection Officer (DPO) and EU-representative.

Both roles can be fulfilled by external parties if desired. If, for instance, a smaller company does not need a full-time DPO, it can outsource the role to a qualified market party on the basis of a service contract. A lively trade has already arisen in this arena, with various market parties offering these services. Although this must be seen as a welcome development, some questions regarding the legal implicationss of both roles remain unanswered. In a two-part blog post, we examine the respective roles, highlight some of the issues surrounding them, and attempt to provide some guidance.

1. The role of the DPO

Not all organizations that process personal data are required to appoint a DPO. Article 37(1) GDPR only makes the officer a mandatory requirement for public authorities, organisations that process large amounts of sensitive data (such as medical records), and organisations that engage in ‘regular and systematic monitoring of data subjects on a large scale’, of which a classic example would be behavioural advertising.

Even those who are not strictly required to appoint a DPO may consider bringing one in. This is already happening in some European countries: in France, for instance, appointing a data protection officer is not (yet) mandatory, but doing so exempts the organisation from having to make declarations to the national data protection authority (CNIL).

The DPO, whose role is set out in articles 37 – 39 GDPR, is designed by the legislator to be simultaneously an independent monitor responsible for ensuring GDPR compliance, an educator of employees and management on data protection practices, and the contact person for both data subjects and the relevant data protection authority. He reports to “the highest level of management” (art. 38) of the processor or controller, which is generally presumed to be the C-suite or board.

A key aspect of the DPO is his independence, which means he cannot receive instructions from management on how to do his job, and cannot be dismissed for doing said job properly, and  art. 37 stipulates that the DPO should be “designated on the basis of professional qualities, in particular with regard to the tasks listed in art. 38″; a requirement which is expanded on further in the relevant guidelines issued by the Article 29 Working Party.

As mentioned earlier, the GDPR allows for appointing an external DPO. This can be a particularly cost-effective solution for a smaller company that is obligated to appoint a DPO, but does not require one on a full-time basis.  The question remains, however, whether an external DPO can maintain his independence and special status if he is performing these duties as part of a wider range of tasks on behalf of the controller. Herein lies a looming risk of a potential conflict of interest.

2. Controller or Processor?

One question that seems to have evaded the attention of the legislators, the Working Party, and most commentators is this: what happens to the legal position of the external DPO when he receives personal data on behalf of the controller or processor in the performance of his duties? It is clear that the mere act of receiving and holding this data qualifies as processing it for the purposes of the GDPR (art. 4(2)), and there are no exceptions or special regimes for the DPO role. Thus, the external DPO must be either a controller or processor. Which is it?

A processor may only process data according to the instructions given by the controller (art. 28(3)(a)). The DPO, however, cannot receive instructions regarding the exercise of his tasks (art. 38(3)). This contradiction almost certainly rules out the possibility of the DPO being a processor, and so the external DPO in all likelihood becomes a data controller by default.

The above is supported by the 2010 Working Party guidelines on controllers and processors, in which the reaonably analogous position of the accountant is described in similar terms: if working as an employee,  he is a processor; as an external service provider, he can only be a data controller.

What is the practical significance of all this? Firstly, it means that a processing agreement must be made between the controller/processor and the external DPO as part of the latter’s service contract. This agreement should, among others, make it clear what security measures the DPO is to take, and how  he is to act in the event of a data breach.

Secondly, although the DPO cannot be held liable for the controller or processor’s unlawful processing of data, this can theoretically change if he becomes a controller in his own right, meaning that – in the absence of further guidance – the DPO could be liable for administrative fines and civil law damages in respect of his own handling of the data.

To summarise: it is imperative for both those offering external DPO services and those seeking to engage them to consider – and contract for – this issue, by acknowledging and defining the position of the DPO as a data controller, by ensuring the DPO’s independence remains unquestionable, and by having clear procedures in place for unforeseen calamities.

Team

Related news

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 2nd at 4 pm, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

18.09.2019 NL law
Consultatie herijking Grondwetsherzieningsprocedure: Tweede Kamer gekozen na eerste lezing moet tweede lezing afronden

Short Reads - Op 3 september 2019 is een internetconsultatie gestart over een wetsvoorstel dat onduidelijkheden moet wegnemen over de tweede lezing van Grondwetsherzieningsvoorstellen. Kort gezegd komt het wetsvoorstel er op neer dat de Tweede Kamer die aansluitend op de eerste lezing wordt gekozen, de tweede lezing moet afronden. Gebeurt dat niet dan vervalt het voorstel van rechtswege. Daarmee borduurt de regering voort op haar eerdere Kamerbrief van 21 februari 2019 waarin zij haar visie over de procedure tot herziening van de Grondwet uit de doeken doet (Kamerstukken II 2018/19, 31 570, 35).

Read more

19.09.2019 NL law
De kloof tussen stad en platteland: gekraai om niets?

Short Reads - In Frankrijk werd het nieuws deze zomer deels beheerst door de juridische strijd over het matineuze gekraai van haan Maurice. Die zomer begon zowat in mei van dit jaar toen het echtpaar Biron een zaak aanhangig maakte bij de rechtbank in Rochefort vanwege overlast van hun buurhaan.

Read more

06.09.2019 NL law
Afdeling onderstreept belang van onderzoek naar harde plancapaciteit bij toestaan van nieuwe stedelijke ontwikkeling en geeft daarvan definitie

Short Reads - De Ladder voor duurzame verstedelijking is verankerd in artikel 3.1.6 lid 2 van het Besluit ruimtelijke ordening en houdt de verplichting in om bij het toestaan van een nieuwe stedelijke ontwikkeling te motiveren dat daaraan behoefte bestaat. Hiermee wordt beoogd leegstand en onnodige bebouwing te voorkomen en zorgvuldig ruimtegebruik te stimuleren. Onlangs is over dit onderwerp een Kamerbrief van de Minister van Binnenlandse Zaken en Koninkrijksrelaties verschenen naar aanleiding van onderzoek naar de werking van de Ladder voor woningbouw.

Read more

18.09.2019 NL law
Geslaagd beroep op het vertrouwensbeginsel, wat nu?

Short Reads - Zoals bekend heeft de Afdeling op 29 mei 2019 (Amsterdamse dakopbouw,) de eisen voor een geslaagd beroep op het vertrouwensbeginsel versoepeld. Het perspectief van de burger staat sindsdien centraler. Dat plaatst overheden voor een nieuw probleem: hoe te handelen als een bindende toezegging is gedaan die niet (meer) nagekomen kan of mag worden? Daarover heeft de Afdeling nauwelijks iets gezegd.

Read more

06.09.2019 NL law
Het Klimaatakkoord: sectortafel elektriciteit

Short Reads - Op 28 juni 2019 is het Klimaatakkoord gepresenteerd. In het Klimaatakkoord is aan vijf sectortafels uitgewerkt op welke wijze Nederland uitvoering gaat geven aan de op internationaal niveau gemaakte klimaatafspraken. In dit blogbericht lichten wij toe wat de belangrijkste uitdagingen zijn voor de sectortafel elektriciteit en hoe de komende jaren aan die uitdagingen uitvoering wordt gegeven.   

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring