We have previously informed you about the regulation on data protection, which will come into force in Denmark on 25 May 2018, and the requirements for public authorities and bodies and certain private companies to appoint a so-called data protection officer (DPO).
The regulation lists a number of general criteria as to which companies and organisations must appoint a DPO and the requirements for the DPO and his/her position. But there has been some uncertainty as to which companies and organisations are in fact obligated to appoint a DPO as well as the DPO's role and liability have not been clearly specified.
As expected, the Article 29 group has now published a set of guidelines that provide more clarity to the above questions.
The guidelines contain a more detailed description of
- the organisations that must appoint a DPO, including for example private companies performing public assignments;
- how to construe some of the central concepts as to how to determine whether a private company is covered by the requirement to appoint a DPO, including the concepts "core activities" and "a large scale";
- the requirements for the DPO's position;
- the requirements for the DPO's assignments;
- the DPO's responsibilities.
For example, a company's core activities may be construed as the central processing that the company performs to pursue its overall objects, and that a "large scale" is determined based on, for instance, the amount of data, the number of registered persons and the duration of the processing. processing of personal data on a large scale may be:
- processing of patient data at a hospital;
- processing of travel data on persons using public transportation (for instance using travel cards);
- processing of customer data as part of the normal operation of an insurance company or a bank.
THE DPO'S LIABILITY
The guidelines suggest a rather sharp division of the liability of the DPO and the controller/processor as the guidelines describe that the DPO will not be personally liable for the controller's or the processor's failure to observe the regulation. Thereby, no decision has been taken as to whether the controller or the processor may raise a claim for compensation against an internal or external DPO under the general rules of Danish law concerning fault liability.