We aim to analyze herein the implications of a long-term activity performed by a data protection officer (DPO) answering to questions including: Can the data protection officer, whether employed or outsourced, be sanctioned when it is established that the company is in breach of data processing rules? If yes - when, by what means and to what extent?
For clarity, we assume that the company has observed its obligations towards the DPO and, thus it provided him with all adequate and necessary support to fulfill his tasks, as follows: it conferred him independence, it involved the DPO in decisions pertaining to the processing of personal data, it provided the DPO with access to the operational aspects of the company, with resources for training and development in the data privacy field, it observed the DPO advices, and also allowed the DPO to allocate the necessary time for performing his responsibilities.
However, it may happen that the company is found liable for the manner in which it processes personal data and be financially and/or reputational exposed. Such situations could arise due to an investigation (unannounced or announced) carried out by the Data Protection Authority (whether ex officio or following a complaint) or, possibly, due to a final court judgment. Signs of concern may also arise considering a possible fine imposed to another player in the market who has a similar practice to the company, or even following a simple online alert about how the company processes the personal data.
The DPO is not irreplaceable
Although the Working Party Art. 29 (currently, the European Data Protection Board) in its Guidelines addressing the DPOs states that the DPO is not personally responsible for the employer's failure to comply with data protection requirements, this does not mean that the DPO cannot be held liable. This just means that the entities processing personal data will be those required to cover any potential damage caused by such failure.
Albeit Article 38 para. (3) under GDPR provides, inter alia, that the DPO ”shall not be dismissed or penalised by the controller or the processor for performing his tasks” provided by Article 39, a text that brought new confusions in practice, the data protection officer is not entirely exempt from any possible fault. This provision simply ensures that the DPOs have autonomy and independence in decision-making, they are protected against possible repercussions by the management board of the company and they are able to take the right decisions even when pressure may be exercised on them. Such a situation could be, for instance, when there is a need to balance the assessment of the employer's interest when considering the processing of personal data in the legitimate interest of the employer, or when the DPO is threatened or promised an advance (remuneration or other function performed).
The purpose of the above-mentioned legal provisions was not to consider the DPO position as being irremovable (or irreplaceable), regardless of the modality in which the DPO performs his/her activity. Performance of the DPO attributions means, in accordance with the provisions of Article 39 of the GDPR, that the DPO monitors compliance of the manner in which the company processes personal data.
When the DPO does become liable?
If the company fully observed the DPO’s advices and yet was sanctioned, it means that the person in charge did not perform his duties and he would be held liable for lack of diligence or for gross negligence (malpraxis), as, of course, the GDPR does and could not, in our view, prevent this possibility.
An example in this regard could be the manner in which the registry of processing activities is kept, pursuant to Article 30 of the GDPR. Thus, the agreement detailing the attributions of the DPO (although the GDPR provides, in principle, this task being incumbent upon the controller) could also include the filling-in and update of such records. However, during an investigation, it is found that there is a serious negligence of the manner in which the registry is handled, i.e. the lack of all necessary fields.
Another possible example could be if the DPO did not recommend the obtaining of the consent for online marketing activities for people who have never been clients of the company.
Additionally, failure to bring to the controller’s knowledge common cases of non-compliance (some of them being mentioned by the DPA in its yearly publicly available reports, such as excessive processing of the national identification number, ignoring the requests of the data subjects or exceeding the legal deadlines for replying to the data subjects) could be other situations of possible negligence of the DPO and could lead to serious prejudice for the company, which might be interested in addressing to the DPO for his passivity. Of course, this example can be taken into consideration for the case when the DPO knows or should have been aware of the company's data protection practices.
For these type of situations, an internal DPO will be treated as any employee who, according to Romanian labor law, will be liable, if the parties so agree, within the limit of five gross minimum wages in the economy, or, if they do not agree, as further decided by a court of law in a litigation suit which may be lengthy. In a few words, the DPO shall be held liable in a limited manner, under specific conditions, while the completion of the damages can last for years, in practice.
On the other hand, in case of an external DPO, its liability will be contractual and the company, pursuant to the provisions of Article 1.530 from the Romanian Civil Code, has the right to receive damages for the prejudice caused by the DPO as a direct and necessary consequence of the unjustified or, where the case, wrongful failure to perform of the obligation. Appointment of an external DPO may be comfortable in terms of liability, as it may have an insurance policy whereby customers would receive compensation for the losses caused. In practice, however, many insurers avoid to issue such policies considering the new and unpredictable framework.
What should companies consider, among others, when choosing an internal or external DPO?
- An internal DPO may require short-term training costs, while an external DPO already has sound knowledge, being a professional in the field, and his interest is to continue to perform in order to attract other clients;
- In the case of an internal DPO, personal data remains within the company and the risk of a security incident falls considerably - of course, unless the company providing outsourced DPO services ensures that a person is continuously present inside to the controller - which is rarely encountered in practice, as a service provider would be interested in having as many customers as possible served by the same DPO - or when the external DPO has implemented appropriate technical and organisational security and control measures;
- An internal DPO shall be better aware of how personal data is processed within the company, whereas the person designated as an external DPO will have to take care in the same time about compliance on data protection matters for more than one company;
- Communication; staff from other departments might be more open to discuss with a third party acting as a panacea;
- Loyalty; this shall in principle be in both cases. The employee will ensure that his employer is safe and that the external DPO will always take all due diligence in order for the portfolio not to be affected;
- The internal DPO will be closer to the company, but the external DPO will always be present when needed; for example, another internal DPO is unlikely to replace the ones appointed when he/she is unavailable, while in the case of the external DPO, there will always be another professional in the field who can take over the duties;
- The labor agreement will be difficult to terminate with an internal DPO, as compared to the external one and, in the latter case, clear conditions can be laid down in which the agreement can be terminated (commissoria lex).
All these aspects should be taken into account when choosing the DPO, to prevent possible damage instead of being subsequently covered, both financially and reputational. For companies with exposure, a fine imposed due to the manner in which data are processed, even if it does not burden them financially, once it has become public, can cause them a consistent injury to reputation, which may translate in the long run in lack of confidence of the customers. Relevant in this respect is Johnny Ryan’s statement, the chief policy and industry relations officer of the Brave web browser, on the recent fine imposed on Google by the data processing supervisor in France, CNIL.
By Silvia Axinescu, Senior Managing Associate, Dragos Sarban, Associate, Deloitte Legal