Under Article 37 of the GDPR an organisation, whether controller or processor, must appoint a Data Protection Officer (DPO) if that organisation is a public authority or body, except for “courts acting in their judicial capacity”.
An organisation will also need to appoint a Data Protection Officer if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (Art 37(1)(b)).
A DPO will also need to be appointed if the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant or personal data relating to criminal convictions and offences (Art 37(1)(c)).
What is a Public Authority/Body?
A public authority for the purposes of the GDPR is defined in the UK under section 7 of the Data Protection Act 2018.
When does data processing become a Core Activity?
The GDPR does not define when an activity becomes “core” to an organisation, but Recital 97 to the GDPR states the following:
In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities.GDPR, Recital 97
Therefore a core activity is the primary activity of an organisation, if an organisation can not achieve its aim without processing the relevant personal data, then this will be a core activity. If the data processing it is only ancillary, then it is not a core activity.
Regular and systematic monitoring of data subjects on a large scale.
Recital 91 to the GDPR states that large-scale processing operations are:
operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high riskGDPR, Recital 91
The Article 29 Working Party recommended (subsequently endorsed by the European Data Protection Board (EDPB)) that that the following factors, in particular, should be considered when determining whether processing is carried out on a large scale:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- the volume of data and/or the range of different data items being processed
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity
The Working Party gave, among others, the following examples:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
The working Party stated that “regular” means one or more of the following:
- ongoing or occurring at particular intervals for a particular period
- recurring or repeated at fixed times
- constantly or periodically taking place
“Systematic” means one or more of the following;
- occurring according to a system
- pre-arranged, organised or methodical
- taking place as part of a general plan for data collection
- carried out as part of a strategy
Examples of activities that may constitute a regular and systematic monitoring of data subjects are given as: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc
Processing of special categories of personal data and personal data relating to criminal convictions and offences on a large scale
A determination will need to be made, as above, if the processing of special category or criminal data is on a “large scale” and as part of an organisation’s “core activity”. The reasons for any decision taken by the organisation will need to be recorded, reviewed and made available to the ICO if required.