EDPS demands Data Protection Officers are compulsory under GDPR

ButtarelliThis week the EU’s independent privacy watchdog, the European Data Protection Supervisor (EDPS) has declared wide ranging support for the European Parliament’s version of the EU General Data Protection Regulation (GDPR) that’s the subject of trilogue negotiations between the European Commission, European Parliament and Council that may be concluded as early as end of October 2015.

However, a notable difference between the EDPS and the European Parliament’s view is the mandatory appointment by organisations and companies of a Data Protection Officer (DPO).

It’s worth noting that 35% of all EU Member States currently require the appointment of a DPO as a compulsory measure, so it would take just 16% of other EU Member States to make this the majority view within the EU.

Under Section 4, Article 35, GDPR provides for the appointment of the DPO. On this important principle, EDPS states:

The controller and the processor shall designate a data protection officer where:

  • the processing is carried out by a public authority or body; or
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, their purposes, the number of individuals concerned or individuals processing personal data, imply regular or systematic monitoring of data subjects or a high level of risk.

The European Commission version of Section 4, Article 35, GDPR states another caveat that such a requirement would apply to those organisations and companies employing 250 or more employees. This was not the view of the EDPS.

The European Parliament version of Section 4, Article 35, GDPR states that it applies where 5,000+ data subjects’ records are processed in any consecutive 12-month period. Again this was not the view of the EDPS.

The Council of Ministers version of Section 4, Article 35, GDPR deleted both of these additional requirements but made the appointment of a DPO not mandatory, stating: “The controller or the processor may, or where required by Union or Member State law shall designate a data protection officer.” Again, this was not the view of the EDPS.

However, EDPS did agree with a similar provision of the European Parliament that two or more organisations or companies (controller or processor) could effectively share a single DPO, with the European Parliament stipulating that such an individual should be ‘easily accessible from each establishment’.

In terms of the length of an internal appointment of a DPO, EDPS appeared to steer a middle path of ‘at least 3 years’, whereas the European Commission preferred ‘at least 2 years’ and the European Parliament ‘at least 4 years’. The European Commission made no such stipulation of duration of tenure.

In explaining the thinking behind the EDPS position, Giovanni Buttarelli, European Data Protection Supervisor said:

“We are driven by three abiding concerns: a better deal for citizens; rules which will work in practice and rules which will last a generation. The EU needs a new deal on data protection, a fresh chapter. The rest of the world is watching closely. The quality of the new law and how it interacts with global legal systems and trends is paramount.”

EDPS has also released a table showing the various different versions of GDPR that are currently under negotiation in the trilogue phase as well as taking the unusual step of releasing an app that compares texts from the EU Commission, European Parliament and EU Council and EDPS.

The general tone of the EDPS, contained in its document entitled Europe’s Big Opportunity is for a better equilibrium between the public interest on the one hand and personal data protection on the other.

“Data protection rules should not hamper historical, statistical and scientific research which is genuinely in the public interest. Those responsible must make the necessary arrangements to prevent personal information being used against the interest of the individual, paying particular attention to the rules governing sensitive information concerning health, for example,” says the EDPS.

“Legislation is the art of the possible,” concludes Giovanni Buttarelli. “The options on the table each contain many worthy provisions, but each can be improved. The outcome will not be perfect in our view, but we intend to support the institutions in achieving the best possible outcome. That is why our recommendations stay within the boundaries of the three texts.”


Leave a reply