If you are a hospital processing European Union (EU) patient data, if you maintain EU customer loyalty programs, or if you engage in behavioral advertising of EU citizens, you may be required to appoint a data protection officer (DPO) by May 2018.

Earlier this month, the Article 29 Working Party (WP29) issued revised guidance regarding the appointment of data protection officers under the General Data Protection Regulation (GDPR), the new EU privacy regulation which goes into effect in May 2018. These revisions build upon guidance initially adopted in December 2016.

Who Must Appoint a DPO?

GDPR creates a new stipulation: the appointment of a data protection officer to monitor compliance of the organization with the requirements of GDPR. These include all controllers and processors who are "public authorities and bodies." In the private sector, DPOs must be appointed by entities which, as a core activity, monitor individuals systematically and on a large scale, or that possess special categories of personal data on a large scale. Even if an entity is not required to appoint a DPO, the WP29 guidance recommends that one be appointed on a voluntary basis.

The guidance characterizes "core activities" as key activities necessary to achieve the entity's goals, but also practices whereby data processing is "an inextricable part" of the entity's operations. As an example, the guidance states that while data processing likely would not be considered a core activity of a hospital, the hospital could not provide safe patient care without processing health data records and thus should appoint a DPO.

WP29 counsels that "regular and systemic monitoring" includes all forms of tracking and profiling on the internet. WP29 additionally notes that "regular" would mean "ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times; and constantly or periodically taking place." And "systematic" would mean "occurring according to a system; pre-arranged, organized, or methodical; taking place as part of a general plan for data collection; and carried out as part of a strategy."

Examples include providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioral advertising; connected devices e.g. smart meters, smart cars, home automation, etc.

WP29 recommends that the following factors be taken into account to determine whether an organization is processing data on a large scale:

  • The number of data subjects concerned—either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

Examples of large-scale processing include:

  • Processing of patient data in the regular course of business by a hospital
  • Processing of travel data of individuals using a city's public transport system (e.g. tracking via travel cards)
  • Processing of real-time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in providing these services
  • Processing of customer data in the regular course of business by an insurance company or a bank
  • Processing of personal data for behavioral advertising by a search engine
  • Processing of data (content, traffic, location) by telephone or internet service providers

DPO Can Be Outside the EU

A DPO may be a single person or a team of people. If an organization prefers, it may contract to appoint an external DPO (or an external DPO team) rather than using a person within the organization.

The WP29 generally recommends that an organization's DPO be physically located in the EU. However, for organizations that have no establishment within the European Union, WP29 recognized that a DPO may be able to carry out his or her activities more effectively if located outside the EU.

In order for an organization's DPO to carry out his or her duties effectively, the GDPR requires that the DPO be given adequate resources and be allowed to maintain their independence and autonomy within their organization. This includes refraining from placing the DPO in a position by which he or she could have a conflict of interest.

Organizations should take care to review these guidelines and determine whether to appoint a DPO well in advance of the effective date of the GDPR to ensure compliance.

On May 10, 2017, from 8:30 a.m. to 10:00 a.m. ET, Ballard Spahr will conduct a CLE, "Countdown to GDPR: Practical and Technological Solutions for Compliance." A link to register is available here.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our attorneys regularly work with multinational companies on structuring and properly documenting their cross-border data transfers. We also assist in drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the GDPR and the EU–U.S. Privacy Shield.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices