Google App fined for not having a DPO. Which companies are required to have a DPO?

Google App fined for not having a DPO. Which companies are required to have a DPO?

The European Union has been demanding uniform measures to guarantee the privacy of personal data through the application of european privacy regulations, specifically the General Data Protection Regulation (GDPR). This Regulation establishes the obligation, for certain cases, to appoint a Data Protection Officer or commonly referred to as ‘DPO’.

Google, as a tech giant, has not managed to pass unnoticed by European privacy supervisory authorities. The French National Data Protection Commission (CNIL) imposed a €50 million penalty on Google for non-compliance with the GDPR. 

It is true that the only reason for the sanction was not the lack of a DPO, but rather a series of infringements: Lacking a designated DPO for Google European HQ (it only had a designated DPO at its HQ in California, which does not comply with the requirements established by the GDPR) as well as failing to comply with its duty to inform users in an accessible, clear and simple manner and for failing to obtain valid consent from users to process their personal data.

Google has not been the only company sanctioned for not appointing a DPO; in 2020 the Spanish Data Protection Agency (AEPD) already fined the app GLOVO 25,000 euros, precisely for not having a DPO appointed.

What is a DPO and what are their functions?

The DPO is a figure whose role is considered key to reaching a good implementation of the GDPR and therefore to the prevention of privacy risks and breaches.

Article 39 of the GDPR sets out the functions of the DPO which, as a minimum, should include the following:

• Providing advice and information on privacy obligations to the organization’s controllers, processors and employees.
• Monitoring compliance with the provisions of the GDPR and any other applicable privacy legislation including allocation of responsibilities, awareness and training of staff involved in the processing of personal data and related audits.
• Provide advice on the privacy impact assessment and monitor its implementation.
• Cooperate with the supervisory authorities, acting as a point of contact with them for any request for information addressed to the company or organization, as well as making any enquiries to the authorities on behalf of the company or organization.

Obliged entities and aspects to be taken into account when appointing a DPO.

The Article 37 of the GDPR provides for the obligation to appoint a data protection officer where data processing is carried out by a public authority or body, where the main activities consist of the processing of data requiring routine and systematic observation of data subjects on a large scale, or where the main activities consist of large-scale processing of special categories of personal data and data relating to convictions and criminal offences.

The Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) has more clearly detailed a list of cases in which the appointment of a Data Protection Officer (DPO) is mandatory:

• Professional associations and their general councils.
• Educational establishments providing education at any level, as well as public and private universities.
• Entities that operate electronic communications networks and services when they routinely and systematically process personal data on a large scale.
• Providers of information society services, when they draw up large-scale profiles of the users of the services.
• Credit institutions’ management, supervision and solvency institutions.
• Financial credit institutions.
• Insurance and reinsurance undertakings.
• Investment services companies, regulated by the Securities Market.
• Distributors and marketers of electricity and distributors and marketers of natural gas.
• Entities responsible for joint solvency and creditworthiness assessment, fraud management and prevention files, including those regulated by legislation on the prevention of money laundering and the financing of terrorism.
• Entities that carry out advertising and commercial prospecting activities, including commercial and market studies, when they carry out processing based on the preferences of data subjects or carry out activities that involve profiling of data subjects.
• Healthcare establishments which are legally obliged to keep patient health records.
• Entities whose activity consists of issuing commercial reports that may refer to natural persons.
• Operators who carry out gambling activities through electronic, computerised, telematic and interactive channels, in accordance with the regulations governing gambling.
• Private security companies.
• Sports federations when they process data on minors.

Controllers or processors not included in the previous paragraph may appoint a DPO on a voluntary basis.

The professional qualities to be taken into account when appointing the DPO are not specifically regulated, but it is important that the DPO has expertise and knowledge of national and European data protection law and practices.

In any case, according to the GDPR, when a DPO is appointed, there is an obligation to notify the supervisory authority within 10 days and to publicise its appointment by electronic means.

Fines and sanctions for not appointing a DPO.

Article 73 of the Spanish LOPDGDD establishes that not having a DPO in accordance with the requirements of the GDPR may be considered a serious infringement.

Failure to appoint a Data Protection Officer constitutes an infringement, which may result in an administrative penalty of up to €10 million or 2% of the total annual turnover, whichever is higher.

Letslaw by RSM

Have you not yet appointed a DPO? Not sure whether your company should appoint a DPO? Contact Letslaw by RSM so that we can advise you on whether your business requires the appointment of a DPO and assign you a DPO with demonstrable experience to comply with the privacy regulation.