In certain situations it's necessary for a company to hire a Data Protection Officer (DPO) to support them with their fulfillment of their data protection responsibilities. Both Data Controllers and Data Processors may be obliged to hire a DPO, but it is important to bear in mind that their role is one of support and guidance, not of fulfilling the obligations of the Controller or Processor for them. In line with the GDPR's role of accountability, both Controllers and Processors who hire a DPO must continue to play an active role in, and bear the responsibility for, the data protection procedures of the company. In this article we will outline who needs to hire a DPO and what that position involves.
Written by Abigail Sked
Paralegal
Which companies need to hire a Data Protection Officer in Spain?
It's really going to depend on what type of data your company processes, how that data is processed and on what scale.
Is your organisation a public authority or does it process special categories of data or regularly and systematically monitor data subjects?
The GDPR (article 37) states that Controllers and Processors should designante a Data Protection Officer in the following cases:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) or personal data relating to criminal convictions and offences.
Apart from the point about public authorities, this perhaps leaves one more confused than before due to vague words like "large scale" and "core activities". Luckily, both the Spanish law and European Union guidance provide some clarification.
Examples of organisations which need a DPO
The LOPDGDD (article 34) has outlined certain specific situations in which a DPO will need to be designated:
- Professional bodies and their general boards.
- Educational establishments offering education at any of the levels established in the legislation regulating the right to education, as well as public and private universities.
- Entities that operate networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they regularly and systematically process personal data on a large scale.
- Information society service providers when they produce profiles of service users on a large scale.
- Entities included in Article 1 of Ley 10/2014, de 26 de junio, de ordenación, supervisión y solvencia de entidades de crédito (Law 10/2014, of the 26th of June, on the regulation, supervision and solvency of credit entities).
- Financial credit institutions.
- Insurance and reinsurance companies.
- Investment services companies, regulated by the legislation of the Mercado de Valores (Securities Market).
- Distributors and suppliers of electricity and distributors and suppliers of natural gas.
- Entities responsible for common files for the evaluation of solvency and creditworthiness or common files for the management and prevention of fraud, including those responsible for files regulated by legislation on the prevention of money laundering and of financing of terrorism.
- Entities that carry out advertising and commercial prospecting activities, including commercial and market research activities, when they carry out processing based on the preferences of the data subjects or carry out activities that involve their profiling.
- Health care centres that are legally obliged to keep patients' medical records.
- Exceptions are health professionals who, although legally obliged to keep patients' medical records, carry out their activity on an individual basis.
- Entities that have as one of their objects the issuing of commercial reports that may refer to natural persons.
- Operators that carry out gambling activities through electronic, computerised, telematic and interactive channels, in accordance with the regulations governing gambling.
- Private security companies.
- Sports federations when they process data relating to minors.
The following comparison provided by the European Commision highlights the importance of considering whether you are processing data in a large scale or arguably invasive way:
A DPO is mandatory for example when your company/organisation is:
- a hospital processing large sets of sensitive data;
- a security company responsible for monitoring shopping centres and public spaces;
- a small head-hunting company that profiles individuals.
A DPO isn’t mandatory if:
- you’re a local community doctor and you process personal data of your patients
- you have a small law firm and you process personal data of your clients
What do the criteria "profiling", "core activity", "systematic monitoring" and "large-scale processing" mean?
Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (article 4, GDPR).
Core activities
The key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.
Activities that all companies carry out, such as paying employees or having standard IT support activities, though necessary, are generally not the core activity of the business.
Regular and systematic monitoring
This includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but it can take place offline too.
Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
Large-scale processing
Factors to be taken into account when determining whether treatment is carried out on a large scale:
- the number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- the volume of data and/or the range of different data items being processed
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity
Guidelines on Data Protection Officers
Can I voluntarily appoint a Data Protection Officer?
Yes, any organisation can appoint a Data Protection Officer to advise them, even if they are not obliged to do so. However, if you choose to do so, you must complete the same steps as those who are obliged to appoint a DPO, such as carefully choosing a suitable DPO and notifying the Data Protection authorities about the appointment.
Any Data Protection Officer is to be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil their tasks.
What are the tasks of a Data Protection Officer?
As set out in Article 39 of the GDPR, the Data Protection Officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation required when an impact assessment indicates high risk, and to consult, where appropriate, with regard to any other matter.
Can I outsource the Data Protection Officer?
Yes, the Data Protection Officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
Outsourcing the DPD is quite common because the requirements of independence in the exercise of the DPD's duties and absence of conflict of interest must be respected.
A group of undertakings may appoint a single DPD provided that a data protection officer is easily accessible from each establishment.
Notification to the Spanish Data Protection Agency
If the company appoints a DPD, it must notify the Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)) or, where applicable, the regional data protection authorities, within ten days.
At Conesa Legal we can help you if you're in need of a professional trained in Data Protection:
Check out our data protection services
