Legal For

LAW FIRM

 

Focused on relationships, driven by results

 

Contact us to learn more about LEGAL FOR services and about how we can help you reach your business goals.

 

 

E-mail: office@legal-for.ro
17 Virgil Madgearu street
300019 Timisoara, Romania

Designation of the Data Protection Officer

18 Nov Designation of the Data Protection Officer

Posted at 13:09h in by
  1. With regard to the case referred to in point (b) of Article 37(1) of the General Data Protection Regulation — the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale

The clarifications provided by WP29 in the Guidelines on Data Protection Officers adopted on 13 December 2016, revised and adopted in their new form on 5 April 2017, are important. WP29 specifies that the notion of “core activities” used in the legislative provisions refers to key, primary activities, and not to data processing as an ancillary activity. An example is provided of a security company whose core activity is the surveillance of premises, which necessarily requires the processing of personal data such as images or identity document data, and which therefore falls within the case provided for under point (b) of Article 37(1), in which the designation of a data protection officer is mandatory. However, a company engaged in the trade of household appliances which processes data of its own employees carries out such processing only as a support activity to its core business (namely trade) and therefore there is no obligation to designate a data protection officer.

As regards the phrase “large scale,” the European legislator does not provide a clear definition, which is why the solution is to be found in complementary documents. There are the guiding lines indicated in recital 91 of the GDPR, as well as the guidance provided by the ANSPDCP and by WP29 in the aforementioned Guidelines, which recommend taking into account in particular the following factors in determining whether or not processing is carried out on a large scale:

  1. the number of data subjects, either an exact number or a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration or permanence of the data processing activity;
  4. the geographical extent of the processing activity.

With regard to the meaning of “monitoring,” recital 24 of the Regulation and WP29 explain that it encompasses all forms of tracking and profiling, including for the purposes of behavioural advertising, and is not limited solely to processing carried out in the online environment. “Regular” refers to processing carried out on a recurring basis, while “systematic” means according to a pre-established plan.

In this context, certain examples of processing operations that involve regular and systematic monitoring of data subjects on a large scale are also provided, namely: processing of patient data by a hospital, processing of client data by insurance companies or banks, processing of data for profiling purposes by search engines, carrying out profiling and scoring for risk assessment purposes (for example, for the purposes of granting a loan, determining insurance premiums, fraud prevention, or money laundering detection), geolocation or loyalty programmes, sending targeted repeat emails, and marketing activities. However, examples of situations that cannot be classified in this category are also provided, namely the processing of data concerning criminal convictions by a lawyer or of health data by an individual doctor.

  1. With regard to the case referred to in point (c) above — the core activities of the controller or the processor consist of processing on a large scale of special categories of data referred to in Article 9, or of personal data relating to criminal convictions and offences referred to in Article 10

Most commercial companies process sensitive data, collecting and storing information about their own employees, such as religious affiliation and health data (included under Article 10), when requests are made for statutory leave for public holidays of other religious denominations or sick leave, pursuant to the provisions of the Labour Code.

Therefore, the processing of such employee data is inherent in the activity of any commercial company. The question of whether the condition of processing such sensitive data “on a large scale” is met, and whether such processing falls within the category of “core activity” of the respective employer, remains open.

In this regard, as noted above, the lack of a clear definition of these terms will certainly create difficulties for commercial companies.

From our perspective, we consider that reference should be made to the exception provided by way of example by WP29 when discussing the meaning of core activity for commercial companies. Accordingly, it might be considered that if a company merely records employee data for the purpose of granting sick leave (for example), this activity is only ancillary and secondary to the core activity (such as trade) and is necessary not for the conduct of the primary business activity but for the fulfilment of a separate legal obligation. As a result, such a company does not fall within the case provided for under point (c) and is therefore not obliged to designate a data protection officer.

Furthermore, the question arises as to whether we can speak of large-scale processing of data falling within Article 10 in the case of such a company. It could be argued that large-scale processing is not taking place as long as not all employees access sick leave and we are not dealing with firms with a very large number of employees relative to the relevant labour market.

It remains to be seen, however, whether in such a situation practice will be based on the justification that such data is not processed on a large scale, or whether the insistence will be on the fact that such processing is not carried out as a core activity of the employer.

***

In addition, it should be noted that the European legislator has provided for the obligation, as well as the recommendation, to designate a data protection officer not only in the case of the personal data controller, but also in the case of the processor. Therefore, it is possible that in certain situations the controller may not be in a position of mandatory designation, while the processor acting on its behalf may be. Everything depends on who meets the criteria for mandatory designation set out in the Regulation.

An example provided by WP29 in this regard is that of a small family business distributing household appliances in a city, whose processor is a firm providing marketing services. The family business does not involve large-scale data processing, given the relatively small number of sales and customers. The marketing company, however, has many clients and can be considered to be processing personal data on a large scale as its core activity. Consequently, although the data controller is the family business, it is not obliged to designate a data protection officer, whereas the marketing firm, which in this structure has the role of processor, must carry out this step.

It goes without saying that the data protection officer designated by the processor will hold this role and fulfil the corresponding tasks regardless of whether the entity for which they perform this function is a controller or a processor. Thus, referring to the above example, the data protection officer appointed by the marketing company will ensure that the company complies with the provisions of the Regulation both in situations where it acts as a processor (as is the case in its relationship with the family business) and in situations where it is itself a data controller (as is the case in its relationship with its own employees).