Does your organisation need to appoint a Data Protection Officer (DPO)? Part II: country specifics
In the previous blog we discussed whether your organisation needs to appoint a Data Protection Officer (“DPO”) pursuant to the GDPR. In this blog we discuss whether you are obliged to appoint a DPO based on national legislation, even though you might not be required to appoint a DPO directly under the GDPR. There are two scenarios to consider: DPO requirements in EU countries and DPO requirements in EU candidate countries.
Scenario 1, EU countries
Even if you don’t need to appoint a DPO directly pursuant to the GDPR, you might nevertheless be required to appoint a DPO if more specific national legislation requires you to do so, because Article 37 (4) GDPR allows EU member states to implement stricter requirements to appoint a DPO. Some countries have made use of the opportunity to further define DPO requirements. The following sections explain the most noteworthy DPO requirements in various EU countries.
Belgium
In Belgium you need to appoint a DPO under the Belgium Data Protection Act:
- If public bodies process personal data in the context of:
- the organization Foundation of Missing and Sexually Exploited Children (Art.8).
- crime prevention and public security (Art.63).
- intelligence and security services (Art.91).
- classification and security clearances, security certificates and security recommendations (Art.124).
- processing personal data by the Coordination Unit for Threat Assessment (Art.157).
or
- If the processing of personal data is likely to result in a high risk, meaning that a Data Protection Impact Assessment would need to be performed, and
- a private body processes personal data on behalf of a public body or the public body transfers personal data to the private body (Art.21), or
- there are derogations to data subject rights pursuant to Article 89 (2) and (3) GDPR in the context of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Art.190).
Czech Republic
The GDPR requires public authorities to appoint a DPO. Section 14 of the Czech Personal Data Processing Act requires also other authorities, which are established by law and that perform tasks laid down by law in the public interest, to appoint a DPO.
Germany
In Germany you need to appoint a DPO pursuant to Section 38 of the German Federal Data Protection Act:
- if your organisation employs 20+ employees who permanently work with automated personal data processing. This requirement has to be interpreted broadly, and would include, i.e., employees processing personal data by means of a personal computer (including interns, freelancers, etc.);
- if you need to perform a Data Protection Impact Assessment (DPIA); or
- if you process personal data for the purpose of commercial (anonymized) transfer (typically in the scope of data trading companies), or commercial market or opinion research.
Italy
Italy is noteworthy, because it does not specify further requirements to appoint a DPO in national law, however, the Italian data protection authority has published a non-exhaustive list with examples in its FAQ No.3 where you would need to appoint a DPO. The following examples would require a DPO:
- Businesses entrusted with public services, i.e. local public transport, waste collection, water service management, etc.
- credit institutions
- insurance companies
- credit information systems
- financial companies
- business information companies
- auditing companies
- debt collection companies
- supervisory institutions
- political parties and movements
- trade unions
- CAF e patronati (social security and tax services)
- companies operating in the utilities sector, i.e. telecommunications, electricity or gas distribution, etc.
- labor supply and recruitment companies
- companies operating in the health care, preventive/diagnostic health care sector such as private hospitals, spas, medical analysis laboratories and rehabilitation centers
- call center companies
- companies providing computer services
- companies providing pay television services
Luxembourg
Pursuant to Article 65 of the Luxembourg Personal Data Processing Act you don’t need to but you should appoint a DPO if you process personal data or special categories of personal data for scientific or historical research purposes, or statistical purposes. However, if you do not appoint a DPO in this case, you (applies only to controllers not processors) must document and justify why you have not appointed a DPO.
Romania
Pursuant to Article 4 of the Romanian Data Protection Law you need to appoint a DPO if you process national identification numbers.
Spain
Similar as in Italy, Spain provides several examples where you need to appoint a DPO. However, these examples are not drafted by the data protection authority as in Italy, but implemented in Article 34 of the Spanish Data Protection Law. For the following examples you need to appoint a DPO in Spain:
- Professional associations and their general councils.
- Educational centers that offer teachings at any of the levels established in the legislation regulating the right to education, as well as public and private Universities.
- Entities that operate networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they regularly and systematically process personal data on a large scale.
- Providers of information society services when they elaborate large-scale profiles of service users.
- The entities included in Article 1 of Law 10/2014, of June 26, on the regulation, supervision and solvency of credit institutions.
- Financial credit establishments.
- Insurance and reinsurance entities.
- Investment services companies, regulated by the Securities Market legislation.
- Distributors and marketers of electric energy and distributors and marketers of natural gas.
- Entities responsible for common files for the evaluation of capital and credit solvency or common files for the management and prevention of fraud, including those responsible for the files regulated by the legislation for the prevention of money laundering and the financing of terrorism.
- Entities that carry out advertising and commercial prospecting activities, including commercial and market research activities, when they carry out processing based on the preferences of the data subjects or carry out activities that involve profiling them.
- Health centers legally obliged to keep patients' medical records. Exceptions are health professionals who, even though they are legally obliged to keep patients' medical records, carry out their activity on an individual basis.
- The entities that have as one of their objects the emission of commercial reports that can refer to natural persons.
- The operators that develop the gaming activity through electronic, computerized, telematic and interactive channels, in accordance with the gaming regulation regulations.
- Private security companies.
- Sports federations when processing data of minors.
Scenario 2, EU candidate countries
You might want to operate in a EU candidate country, a country which does not yet have the status of an EU member state. In general, the GDPR does not apply in that country (yet). However, in order to become a EU member state in the future, EU candidate countries need among others to adjust their local legislation to a similar EU level, which includes data protection. In some cases, EU Candidate states might already have implemented local legislation which essentially reflects the GDPR requirements, including the requirement to appoint a DPO. There are currently three candidate states which have noteworthy DPO requirements:
Albania
DPO requirements are not explicitly mentioned in the Albanian Law on Protection of Personal Data, instead, an additional order number 27 of the Instruction no. 47 refers to a person in charge of the supervision. The requirement to appoint such a person applies to “large processing entities” which are defined in number 2 as an entity where 6+ persons carry out processing.
Ukraine
At the end of 2022, Ukraine published its Draft Law on the Protection of Personal Data which essentially reflects the GDPR. The requirements to appoint a DPO are very similar but Ukraine shows some stricter nuances than the GDPR.
Serbia
Serbia’s data protection legislation is very similar to the GDPR. Article 56 of the Serbian Data Protection Law sets out identical DPO requirements as Article 37 GDPR.
Do you need help with determining if your organisation needs a DPO? Please contact us!