Start of main content

The data protection officer as the guarantor of privacy in organisations

| News | Privacy, IT & Digital Business

The General Data Protection Regulations (GDPR), of 27 April 2016, repealing the pervious Directive 95/46/EC, being approved has meant that a new model of privacy has been generated

The General Data Protection Regulations (GDPR), of 27 April 2016, repealing the pervious Directive 95/46/EC, being approved has meant that a new model of privacy has been generated, which responds to the challenges of a digital society and bolsters the role that organisations play in protecting the rights and freedoms of users. The GDPR will come into force on 25 May 2018, after two years of vacatio legis, a term that the National Legislator has deemed sufficient for organisations to adapt to the new legal framework.

It took more than four years of debates to finally approve the proposal for the GDPR, which shows that the change in the model and the implications that this has both for organisations and businesses, have not been easy to smooth over within the EU.

This is not merely an update of the measures to update them to the digital ager, nor just an instrument aimed at extending the list of formal obligations. Quite the contrary, the GDPR involves a structural and cultural change for data processing, which has to be approached in a comprehensive manner, and aims to generate enough legal certainty and stability for new types of business based around mass personal data exchanges online and on social media and the analysis of such data using big data tools. It also seeks to safeguard the effective protection of citizens’ derived rights to privacy and intimacy, which, it should be noted, are recognised as fundamental rights in the EU (unlike the situation with other jurisdictions, such as the United States).

In fact, one of the main pillars, and in my opinion one of the success of the reform, is the principle of “trust”, both in business and in organisation for drawing up policies that could have an impact on the processing of personal data and, by extension, to citizens’ privacy, as well as on user, which are granted much greater control over their own data and greater capacities for decision. Among other measures, accountability with the owners of the data is stipulated for the processing personal data.

To streamline the management of this new framework and their correct adaptation, the GDPR has created the role of Data Protection Officer as the guarantor for data protection within organisation and, furthermore, to support them in the new duties that they have to fulfil.

Although the spirit of the GDPR is to regulate the role that the Data Protection Officer plays in all kinds of institutions what handle personal data, including SMEs, where this is acting as a the controller or the processor, the appointment of such role is only compulsory in the following circumstances:

  1. If the personal data is processed by the Public Authorities or a Public Body, except the courts acting in their judicial role.
  2. If the main activities of the controller or the processor invoice processing operations that, due to their nature, scope and/or purpose, require a recurring and systematic observation of the stakeholders on a large scale;
  3. Otherwise, if the main activities of the controller involve large-scale processing of sensitive personal data in special categories.

Although the guides and instructions public by the Article 29 Working Party and by the Spanish Data Protection Agency (with initials in Spanish, AEPD) do not specify the meaning of “large-scale processing” or personal data, all the evidence points toward significant flows of data. Specifically, case law suggests that this category will include activities consisting of monitoring through networks and the internet and user profiles that contain significant volumes of data. Similarly, bearing in mind the initial draft of the GDPR, it would appear that companies with over 250 employees could also be considered to represent a considerable volume of personal data.

Regarding who could or should be appointed as the Data Protection Officer, the GDPR is fairly sparing in the requirements it stipulates, since it only states that they must be appointed in light of their appropriate skills and professional qualities, and specifically, their specialised knowledge in the field of Law and experience with data protection.

To accredit that the professional have right skill set, the AEPD has chosen to create a certification system alongside the Entidad Nacional de Acreditación (“National Accreditation Institution”), although the accreditation is not a necessary requirement to act as a Data Protection Officer.

Among the most distinctive features of this figure, it is stipulated that the Data Protection Officer, unlike the current “security manager”, have special protection and independence ensured when operating as such, as well as sufficient resources, including training on updates and must have direct communication with the highest hierarchical level in the organisation or the decision-making level. Such independence means that they cannot receive orders or be dismissed or sanctioned when carrying out their duties.

Similarly, even though the Data Protection Officer may perform other duties and roles, the organisation or business responsible for the data must ensure that such duties and roles do not generate any conflicts of interest. As stipulated by the guide published by the AEPD, such conflicts of interest may arise when the Officer, when overseeing the data processing carried out by the organisation, must assess their own work within such organisation, such as would be the case if the IT Manager was appointed as the Data Protection Officer (if the IT systems were used for processing data) or the if it was the head or a department that makes decision on certain aspects of processing.

Such guarantees must be contractually agreed, either in the employment contract if the Officer is an employee, or in the Service Provision Agreement, if a Data Protection Officer is external contracted in.

Therefore, the Data Protection Officer may be either internal or external, a natural or legal person, and there one be one sole Officer for Business Group, or one for each subsidy. With the aim of enabling organisations to have the support of a Data Protection Officer, the GDPR is a very flexible and allows for the possibility of a Data Protection Officer being appointed by an association to provide services to the institutions that are members of such association.

In the case that a sole Officer is appointed for one Business Group, the GDPR requires that they be accessible for each establishment in the group. In accordance with the interpretation of the AEPD, such accessibility includes the physical accessibility for the staff of such group and the possibility for the stakeholders to contact the Officer in their own language, even when they belong to an establishment in another Member State.

Lastly, among other tasks for consultancy, overseeing data processing and privacy policy, what stands out is the role as a point of contact with the AEPD authorities and with the users that own the data and, as such, their contact details must be published and they must handle any shareholders making requests or exercising their rights.


For further information, please contact:

Isabel Martínez Moriel


Download the PDF file here.



End of main content