The Data Protection Officer (DPO) supports the controller or processor to comply with the data protection norms. Article 37 GDPR mandates the appointment of a DPO in five specific cases.
| Requirements mandating a Data Protection Officer | |
| Requirement 1 | “The processing is carried out by a public authority or body, except for courts acting in their judicial capacity”, Article 37.1 GDPR |
| Requirement 2 | “The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”, Article 37.1 GDPR |
| Requirement 3 | “The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9”, Article 37.1 GDPR |
| Requirement 4 | “The core activities of the controller or the processor consist of processing on a large scale of […] personal data relating to criminal convictions and offences referred to in Article 10”, Article 37.1 GDPR |
| Requirement 5 | “[T]he controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer”, Article 37.4 GDPR |
Requirements 1 and 3 are particularly relevant for this document. Requirement 1 is relevant because it is not uncommon for research institutions to be public bodies, as in the case of public hospitals and public universities. When such a scenario applies, Article 37.3 GDPR provides that “a single data protection officer may be designated for several such authorities or bodies”. For example, public hospitals might not have appointed a DPO but could rely on the DPOs to provide their service. Requirement 3 is relevant as it mentions the processing of special categories of personal data – such as biometric data – as one of the three criteria for the compulsory appointment of a DPO. The other two occur when the processing of personal data happens in the context of a core activity and is performed on a large scale. The terms ‘core activities’and ‘large scale’ are not explicitly defined in the GDPR. The Article 29 Working Party (WP29), though, provide interpretative guidance in its Guidelines on Data Protection Officers. Accordingly, core activitiesare “key operations to achieve the controller’s or processor’s objectives”[1], hence excluding supporting or ancillary activities. In the context of ICT research and innovation, this could be understood as any activity directly related to the execution of ICT research and the achievement of ICT innovation, such as in the case of a biometric system development. As for the large-scale criterion, WP29 links it to “the number of data subjects concerned – either as a specific number or as a proportion of the relevant population –, the volume of data and/or the range of different data items being processed, the duration, or permanence, of the data processing activity, [and] the geographical extent of the processing activity”[2].
If appointing a DPO is required, this should occur as early as possible. Indeed, Article 39.1(a) GDPR states that one of the responsibilities of the DPO is to inform and advise the data controller during all the steps of the research. Therefore, securing the assistance of a DPO at the earliest possible time ensures that the researchers receive adequate guidance on how to address the compliance requirements.
The contacts of the DPO should be published and made available to the data subjects.
References
1Article 29 Data Protection Working Party, ‘Guidelines on Data Protection Officers (“DPOs”)’, April 2017, 20. ↑
2Article 29 Data Protection Working Party, 21. ↑