On 13 December 2016 the European Data Protection Supervisor (Working Party – WP29) issued three documents containing information and recommendations on important novelties on Regulation (right to data portability, D.P.O., Leading Authority), in view of its application, effective from May 25, 2018.
With regard to the Data Protection Officer, the guidelines first highlight that the appointment of such a role, is the basis of a positive process of adaptation to the legislation, and how the same can simultaneously operate as intermediary with different stakeholders, including Supervisors. It is therefore clear that WP29 encourages the identification of a Data Protection Officer also by companies that would be exempted from this requirement, considering such appointment a good practice, even before focusing on cases in which the appointment of the D.P.O. is mandatory under the new regulations. Fostering the principle of accountability introduced by the Regulation, the WP29 recommends that a written documentation for grounds that led to the choice whether or not to appoint a DPO, to prove (due to a possible inspection) that the most important elements have been duly taken into account.
With reference to the first possibility, according to which the appointment of D.P.O. is mandatory (processing operations carried out by a ‘”Public Authority” or a “Public Entity” – art. 37 co. I l. a) of the Regulations), WP29 states that there is no obligation towards private companies providing public services, such as those working in the energy or transport sector. However, since in this case the parties concerned would face a condition similar to that of public authorities or public entities in processing data, the guidelines specify that the appointment of D.P.O. is definitely a good practice.
Besides the assumption indicated above, Article. 37 co. I. l. b) and c) of the Regulations requires to appoint a Data Protection Officer if the main activities of the Data Processor/Data Controller consist of processing that require recurrent and systematic monitoring of those concerned on a large scale, or which consist in large-scale treatment of particular categories of personal data or data relating to criminal convictions and offenses.
In providing the meaning of “core business” of Data Controller or Data Processor, the WP29 states that such activities include the processing of personal data as many times as the latter are an integral part of the activities carried out routinely by these entities. It follows, for example, that the provision of services typically offered by a hospital is closely connected with the processing of data on the health of patients.
With reference to the definition of “large-scale treatments“, the WP29 does not seem to take a specific position, failing to provide in this regard a quantitative definition. Basically it is set out to evaluate a range of elements, including the number of interested parties, the volume of data processed, the duration of the data processing, the geographical scope of the latter. In this regard, it provides a series of examples that should be included in this event, including the processing of personal data carried out by banks or insurance companies or the processing regarding travel data for persons using public transport network. Finally, the “recurrent and systematic monitoring” is defined as that form of monitoring performed periodically or continuously and includes, for example, the online profiling.
From the reading of this document it is clear that WP29 did not provide detailed indications regarding the burden imposed to the companies. It is, however, the first attempt to provide practical guidance with respect to the figure of the Data Protection Officer, of crucial for each organization.
The lack of detail in specifying the obligations contained in the Guidelines, forces the Data Holder/Data Processor to document in writing grounds that led to the adoption of a decision, or a specific compliance, in view of the general principle of accountability contained in the Regulations.