Should every employer appoint a personal data protection officer?

2018.05.30

The GDPR does not require that all employers appoint a data protection officer. The appointment must be made if the processing is done by public authorities, as well as entities for which (1) the core activities consist of large-scale data processing operations, and the nature, scope and purposes of this processing require regular and systematic monitoring of data subjects, or (2) the core activities consist of processing on a large scale of special categories of data (as specified in Article 9 of the GDPR) or data relating to criminal convictions. Determining whether this requirement arises is one of the employer’s internal tasks, and this assessment should be justified (i.e. documented).

Appointing a competent data protection officer voluntarily may be helpful, because their support will facilitate compliance with the rules and help prepare the required documentation, and they will be in charge of the day-to-day contact with supervisory authorities. On the other hand, it is hard to imagine that one person should be able to fulfill all the duties stemming from the GDPR. It should be remembered that, as a rule, the personal data protection officer should be a natural person.

Even if you outsource activities that overlap with the duties mandated by the GDPR, the recently-passed Personal Data Protection Act mandates that the President of the Personal Data Protection Office must be notified of the appointment of a personal data protection officer, including their first and last name and email address or phone number. The GDPR grants the data protection officers a high degree of independence and freedom, by making it difficult for the employers to dismiss them or to hold them accountable. At the same time, the data protection officer should be informed of all the matters related to personal data, invited to meetings and consulted on current issues, and his or her judgements should not be influenced.  The employer must justify any actions that contradict the officer’s recommendations. If we add to this the outlays on setting up the position and the potential conflict of interest, the possible advantages may turn out to be lesser than the risks.