When is it mandatory to appoint a DPO and what functions must he/she perform?

The regulations provide different situations in which it is mandatory, for the person responsible and the person in charge of data processing, designate a Data Protection Officer (DPD hereinafter), which depends on the legal nature of the person responsible and the person in charge, the more or less invasive nature of the processing or the types of personal data processed.

First of all, and based on the article 37 GDPR, three assumptions are established to determine when it is necessary to incorporate the figure of the DPD. 

1. the processing is carried out by a public authority or body, except by courts acting in the exercise of their judicial function; 
2. the main activities of the controller or processor consist of processing operations that, due to their nature, scope and/or purposes, require regular and systematic observation of data subjects on a large scale, or 
3. The main activities of the controller or processor consist of large-scale processing of special categories of personal data pursuant to Article 9 and data relating to convictions and criminal offenses referred to in Article 10.

In relation to the large scale data processing, the budgets established by the Working Group of article 29 must be met:

• It affects a large number of stakeholders.
• The volume and variety of data elements is very large.
• The duration of treatment is prolonged.
• This is an activity with great geographical scope.

For example, a hospital is forced to appoint a DPO because, as established in article 34.1.l of the RGPD:

“Healthcare centers are legally obliged to maintain patient medical records.” 

In the case of the hospital, in addition to not carrying out the main activity individually, but rather jointly with several specialists, all the premises for the adoption of the figure of the DPD would be covered. 

When appointing the DPD, article 37.5 RGP will be taken into consideration, which establishes that:

“The DPO will be appointed taking into account his professional qualities and, in particular, his specialized knowledge of law and practice in the field of data protection and his ability to perform functions indicated in article 39”

That is why the The appointment of the DPD must be carried out taking into account a series of professional qualities and specialized knowledge theoretical and practical knowledge regarding data protection that the person or entity that assumes the role must possess. Thus, you must gather a series of personal skills and abilities that allow you to delve into the context of the organization, know the processes of its activity and offer functional solutions. 

As established in article 35, for the appointment of the DPD, qualification may be demonstrated, among other means, through voluntary certification mechanisms that will take particular account of obtaining a university degree that accredits specialized knowledge in law and practice in the field of data protection. 

Once appointed, the Data Protection Officer will be responsible for:

• Ensure compliance with data protection regulations, following the guidelines established by the person in charge and responsible for the processing of personal data. 
• Supervise, monitor and control that data protection regulations are complied with and carry out their functions internally with exclusive dedication. 
• Since independence, report deficiencies to senior management and to the person responsible and in charge of data processing. 

At the organizational level, the functions to develop by the DPD will be:

1. Inform and advise the entity and its employees on data protection obligations and applicable legislation. 
2. Monitor regulatory compliance, including assignment of duties and training.
3. Advise on carrying out impact assessments on data protection.
4. Act as the entity's interlocutor before the AEPD.
5. Address prior complaints from interested parties.
6. Respond in the first instance to claims against the entity presented to the AEPD, and must respond within one month.

The appointment of DPD will be notified to the Spanish Data Protection Agency. The DPD's contact details will be public so that interested parties can contact directly the person who performs these functions.