The law will oblige companies with more than 50 employees to have a data protection officer
The Draft Bill (whistleblowing) extends the cases of the General Data Protection Regulation (GDPR) and the Organic Law on Data Protection and guarantee of digital rights (LOPDGDD) in which it is necessary to appoint a Data Protection Officer.
What is the data protection officer and what are his/her functions?
The General Data Protection Regulation (GDPR) regulates the figure of the Data Protection Officer (DPO) in articles 37 to 39.
The DPO is the key person in an organization whose aim is to ensure compliance with the provisions of the regulations on privacy and data protection.
In this regard, and in accordance with the provisions of the GDPR, a priori, it will be mandatory to contact a DPO in the following cases:
– When the processing is carried out by a public authority and body.
– When the main activities of the controller or processor consist of processing operations which, by reason of their nature, scope and/or purposes, require regular and systematic observation of data subjects on a large scale.
– Where the main activities of the controller or processor consist of large-scale processing of special categories of personal data and of data relating to criminal convictions and offences.
The “Whistleblowing” law will oblige companies with more than 50 employees to have a DPO.
In accordance with the above, the applicable regulations do not establish in any case that companies with more than 50 employees are obliged to have a DPO in their company.
However, with the entry into force of the recent Whistleblowing Directive, companies employing 50 or more people are obliged to have a whistleblowing channel.
Consequently, Article 34 of the Draft Bill establishes that companies that are obliged to have a complaints channel, as well as external third parties that manage it, must appoint a Data Protection Officer.
Appointment of the Data Protection Delegate
The DPO should be appointed based on his or her professional qualifications and in particular his or her knowledge of data protection law.
To the extent that the DPO’s duties include advising the controller or processor on data protection law, legal knowledge of the subject matter will be necessary, as will non-legal knowledge, for example of data processing technology, although he or she should not have specific training.
The appointment of the DPO and his or her contact details must be made public and communicated to the competent body by controllers and processors.
The established requirements that a DPO should meet are as follows:
– Full autonomy in the exercise of his or her functions.
– Close contact with the highest level of the organization.
– The person responsible and the person in charge are obliged to provide the DPO with all the resources necessary to carry out his or her activity.
It is permissible to appoint a single DPO for a group of companies if he/she is accessible from each establishment of the group. Accessibility is understood in a broad sense, including physical accessibility for the group’s own staff and also the possibility for data subjects to contact the DPO in their own language, when the DPO is located in an establishment in another member state.
The AEPD has opted to promote a system of certification of data protection professionals as a tool for assessing that candidate for DPO positions have the required professional knowledge and qualifications.
However, certification will not be a prerequisite for access to the profession.
What is the deadline for companies to comply with this obligation?
The RGPD, the LOPDGDD and the Whistleblowing Directive must be consulted to verify whether a company must have a DPO.
In this regard, if the company employs less than 50 workers, we must check whether we are not facing any of the generic assumptions of the GDPR and the specific assumptions of the LOPDGDD mentioned in summary form above.
If you need a DPO, at Letslaw we are experts in privacy and data protection, contact us!