One of the main objectives of the EU General Data Protection Regulation (GDPR) privacy law is to protect individuals' privacy rights. It can be enforced by private legal claims, and by fines or other penalties issued by Data Protection Authorities.
But the GDPR sets so many important rules that they can't all be enforced by a central authority. This is where the Data Protection Officer (DPO) comes in. Certain companies must nominate a DPO, whose job is to keep data protection practices in check and act as the main point of contact for any privacy inquiries.
If you're required to appoint a DPO, you should set out the terms of the appointment in writing. Here's how you can make sure you're doing this correctly.
- 1. What is a Data Protection Officer?
- 2. When is a Data Protection Officer Required?
- 3. Appointment of a Data Protection Officer Letter
- 3.1. Details of the Appointment
- 3.2. Term of the DPO
- 3.3. Role of the DPO
- 3.4. Status of the DPO
- 3.5. Closing Statement
- 4. Summary of Your Appointment of Data Protection Officer Letter
What is a Data Protection Officer?
The GDPR is enforced in several ways.
- From above - by the European Data Protection Board, and the Data Protection Authorities operating in each EU country.
- From below - each individual ("data subject") plays their part in enforcement by exercising their data subject rights and reporting infringements.
- From inside - DPOs are trained to an expert level in data protection and administer data protection regulations, often within their own company.
The DPO performs a number of important tasks including advising employees about compliance with data protection law (primarily the GDPR itself) and monitoring the company's data protection practices. A DPO will also advise on Data Protection Impact Assessments and act as a company's main point of contact for Data Protection Authorities.
The DPO can be an existing employee within your company or an external contractor. If you're choosing to designate someone already working in your company, you have a lot of freedom about who you select. But bear in mind the following recommendations from the European Data Protection Supervisor. You should avoid selecting:
- Someone who acts as a data controller in their own right, for example, the Head of Human Resources
- Anyone on a temporary contract
There are some special requirements about how this person should be allowed to operate within your company. They must be totally independent - no-one, not even your CEO or General Manager, can tell the DPO how to fulfill their duties as DPO. In their capacity as DPO, they must report to the very highest level of management and manage their own budget. They should also have access to all personal data and processing operations across your company.
When is a Data Protection Officer Required?
Only certain companies are required to appoint a DPO:
- All public authorities and public bodies
- Any company which regularly and systematically monitors individuals on a large scale as part of its core activities
- Any company which regularly and systematically processes special category data or criminal conviction data on a large scale as part of its core activities
Even if your company doesn't meet any of these descriptions, or if you aren't sure whether or not it does, you may still wish to designate a DPO. This is encouraged by the Article 29 Working Party. There are a number of advantages to having a well-trained, independent person who can deal with data protection issues and inquiries working in your company.
Appointment of a Data Protection Officer Letter
When hiring or designating a DPO, you should formalize the process by writing an Appointment of a Data Protection Officer Letter.
This will help the DPO to understand their responsibilities, and it can be a point of reference for other employees in your company if they wish to understand the role of the DPO better. It can also serve to reassure your Data Protection Authority that your company has done its due diligence and understands the significance of the appointment.
A big part of the GDPR is about providing clear information about your data protection practices, written in simple language.
Let's take a look at what you should include in your Appointment of a Data Protection Officer Letter.
Details of the Appointment
Firstly you should provide the details of the two parties the letter concerns.
- Your company (the "data controller" - a company that "determines the purposes and means" of processing personal data). Provide the name and address for your company. This is "the Company."
- The DPO's name. This is "the DPO."
You can then provide some brief context regarding the reason for the appointment, for example:
"[name] is designated as Data Protection Officer in accordance with Regulation (EU) 2016/679 ('the GDPR') Article 37."
Term of the DPO
DPOs are usually appointed to their post for an indefinite period, but some companies appoint a DPO for a specific term. For example, the European Data Protection Supervisor, the highest data protection authority in the EU, requires EU institutions to set a term of office for their DPOs of between 2-5 years.
It's important to note that according to Article 38 of the GDPR, the DPO should be independent and cannot be dismissed or penalized for carrying out their responsibilities.
You should include a section in your letter that sets out the term of the appointment, whether permanent or fixed.
"The term of the Data Protection Officer will commence on [date] and expire at the end their period of employment with the company."
"The Data Protection Officer is appointed for a period of [2-5] years, commencing on [date]."
Role of the DPO
Your letter should provide the duties and responsibilities of the DPO. Broadly speaking, these are mandated by the GDPR and so will not vary between companies.
Your letter should include a summary of these tasks, written in plain language:
The DPO shall carry out the following duties, which are set out at Article 39 of the GDPR:
- Providing information and advice about data protection to the company and its employees.
- Monitoring compliance with data protection laws and the company's own data protection policies. This may include assigning responsibilities, raising awareness and providing training to staff involved in data processing; and carrying out data audits.
- Advising on Data Protection Impact Assessments wherever the company is considering taking on a relevant high-risk data processing project.
- Cooperating with the Data Protection Authority, [insert the name of your Data Protection Authority];
- Acting as the point of contact for [the Data Protection Authority]. This includes consulting with [the Data Protection Authority] about any high-risk data processing under Article 36 of the GDPR, or in the event of a high-risk data breach.
You should avoid imposing further tasks in addition to those set out in the GDPR (unless required by national law).
For example, imagine that you ask your DPO to provide staff training to all employees once per year. The DPO fails to do this. You would be in danger of infringing on their independent status if you were to discipline them for this.
Status of the DPO
The DPO is afforded a particular status when carrying out their role as DPO. Don't think of this as a "promotion" - it's merely a way to ensure that the DPO is in the best possible position to carry out their duties. Their regular position in the company is maintained for all other purposes.
Your Appointment of a Data Protection Officer letter should make the DPO's status clear:
"In carrying out their duties in this role, the DPO shall:
- Report to the highest level of management [insert job title of an appropriate senior staff member, e.g. CEO].
- Ensure that their duties as DPO do not conflict with any other interests.
- Manage their own budget provided by the Company.
- Be accessible as a point of contact for data protection queries within the Company.
The Company shall:
- Not subject the DPO to any penalties or disciplinary action for carrying out their role as DPO.
- Not assign the DPO any duties or responsibilities that conflict with their role as DPO.
- Provide a budget managed by the DPO that will properly resource and equip the DPO to carry out their duties.
- Enroll the DPO in the appropriate training and development programs.
- Involve the DPO in all matters pertaining to the processing of personal data within the Company. This includes granting access to all necessary systems and data.
Wrap up the letter with a final statement about the nature of the appointment. For example, if you've designated an existing employee to the role of DPO:
"Other than to the extent set out above, the existing conditions of employment are not affected by this appointment."
Or, if hiring an external DPO, you can set out the conditions of remuneration and hours of work. Remember that they will need to be readily available in the event of a data breach.
You should then include the names of the parties to the agreement (a suitably senior staff member to represent your company, and the DPO), and spaces for each to sign their name and write the date.
Summary of Your Appointment of Data Protection Officer Letter
Whether you're designating a member of staff within your own company or employing an external DPO, you should write a letter to announce the appointment. This letter should contain:
- Your company's details and the DPO's name
- The term of the appointment
- The DPO's tasks
- The DPO's position and status within the company
- A closing statement, followed by the names and signatures of the parties to the agreement