This blog comments on one of the expansions of responsibility for organizations (point 2), being that it may be mandatory for organizations to appoint a “Data Protection Officer (‘DPO’). This is someone who supervises the application and compliance with the GDPR within the organization. In a nutshell, the GDPR prescribes that an organization is obliged to appoint a DPO if your organization (not cumulative):
- is a governmental body (except for courts when carrying out their judicial duty);
- processes special personal data on a large scale and this is a core activity of the organization, such as health care providers;
- follows people on a large scale (for example profiling) and this is a core activity of the organization.
Organizations may opt for an internal DPO, but also for an external one. The position of internal DPO may be fulfilled by an in-house employee. However, although a DPO may have a different position, he/she may only be imposed other duties and responsibilities if these do not lead to a conflict of interests. This means in particular that the DPO may not fulfil a position within the organization where the purpose and means of processing personal data are determined. As a rule of thumb, senior management positions (such as CEO, COO, CFO, medical director, head of the marketing department, head of personnel, or head of the ICT department) are considered to be conflicting positions, but also other roles on a lower level within the organizational structure if such positions or roles lead to determination of the purpose and means for data processing.
Apart from this, an organization may choose to hire or appoint an employee to fulfil the function of DPO independently (i.e. without any other position or other work within the organization).
As part of the obligation to ensure compliance with the GDPR, the DPO may in particular do the following:
- collect information to identify processing operations;
- analyse and check the extent to which processing activities comply with the GDPR; and
- inform, advise or give recommendations to the controller or the processor.
Unfair dismissal protection and whistleblower protection
Because a DPO must be able to act independently, the GDPR (Article 38) states that a DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks“. This requirement also bolsters the autonomy of the DPO and helps to ensure that the DPO will be adequately protected in his duties. Sanctions are, by the way, only prohibited under the GDPR if they are imposed merely because the DPO performs its duties as DPO. For example, it is possible that a DPO believes that specific processing of personal data entails a high risk and advises the controller or processor of personal data to carry out a privacy impact assessment, but the controller or the processor does not agree to the assessment of the DPO. In such a case, the DPO may not be dismissed for giving this advice or disadvantaged in any other way.
Under the current WPB (Section 62), an organization can already (voluntarily) choose to appoint a DPO at this time. This DPO enjoys the same dismissal protection as, for example, an employee who is a member of the Works Council, see Section 7:670 (10) (d) Dutch Civil Code.
The DPO therefore enjoys statutory dismissal protection under the current WPB as well as under the GDPR.
Dismissal on other grounds is possible
Of course, a DPO can be dismissed because he/she does not properly perform his duties as DPO on the merits, in other words if he ‘dysfunctions’. After all, dismissal is only prohibited if the DPO is dismissed only for carrying out his job whilst the controller or processor does not agree to the DPO’s assessment of, for example, the privacy assessment.
This is also endorsed in the “Guidelines for Data Protection Officers (DPOs)”. It explicitly determines that a DPO may be legitimately dismissed if there are other reasons for this than the performance of his duties as DPO, and by virtue of a customary policy rule and under the applicable national contract law, employment law and criminal law that would also apply to any other employee or contractor (for example in case of theft, physical, psychological or sexual harassment, or similar serious misconduct).
However, in practice you will be dealing with a grey area. After all, what the organization sees as inadequate performance, someone else may see as an unsolicited advice. We will wait and see how this will work out in practice, but that we will face an area of tension is foreseeable.