Verification of compliance with the provisions on data protection officer
Since the beginning of the application of the GDPR, the Polish Data Protection Authority (Polish DPA), both in the course of its proceedings and in response to cases of non-compliance with the provisions concerning data protection officers (DPO) reported to it, has taken actions resulting from its powers set out in Article 58 of the GDPR. The supervisory authority's experience to date in this regard has been used to formulate a list of issues to which - together with the presentation of relevant evidence - the requested controllers and processors will have to refer.
Since the beginning of the application of the GDPR, the main checks during the inspection activities have concerned compliance with the provisions regarding proper designation and functioning of the DPO. Issues checked included inter alia the obligation to appoint a DPO, to notify the supervisory authority of the appointment or dismissal of the DPO, the publication of the DPO's name on the controller's website, the position of the DPO within the organisation, the involvement of the DPO in personal data protection matters and the possible existence of a conflict of interests.
In most cases the verification was positive and did not give grounds to apply corrective powers. Only in a few cases the DPA found irregularities in the occurrence of conflict of interests, e.g. when the Secretary of the Municipality performed the function of the DPO or the DPO was not consulted on undertaken personal data processing operations.
Several breaches related to the function of the DPO required the supervisory authority to take corrective action as set out in Article 58(2) of the GDPR, including the issuance of an order to appoint a data protection officer at the housing association and the imposition of an administrative fine due to the DPO performing his/her tasks without due consideration of the risks related to the processing operations and not involving the DPO in the processing operations carried out.
As far as irregularities reported by data protection officers (and sometimes by other entities) are concerned, so far there have not been many such signals and they have mainly concerned the following:
- failure to publish the DPO’s name and surname on the controller's website
- failure to update the DPO's details on the controller's website
- the adoption of procedures imposing on the DPO duties resulting in a conflict of interests
- providing in the organisational rules that the DPO can be dismissed at any time
- the reasons for dismissal of DPO
- the location of the DPO in the organisational structure of the controller was incorrect: the DPO did not report directly to top management
- failure to provide the DPO with sufficient time and other resources necessary to perform his/her tasks
- failure to provide the DPO with the financial and infrastructural support as well as the possibility to update knowledge
- omission of the DPO in cases concerning the processing of personal data (including those in which the controllers asked for the opinion of the Polish DPA without asking the DPO first)
In each situation reported by the DPOs, the Polish DPA, on the basis of Article 58(1) letter (a) and (e) of the GDPR, called upon controllers to provide explanations regarding the solutions adopted by them with regard to a specific obligation under the data protection legislation, together with detailed and substantiated information on the regulations and practices adopted to correctly implement this obligation. In all of these cases, the controllers indicated that they had taken measures to bring their activities into line with the provisions on DPOs by providing amended, detailed organisational measures for this purpose. In only one case a decision was issued in which the supervisory authority issued a warning stating that the controller had breached the provision of Article 38(6) GDPR.
The signals provided by the DPOs in this respect - although not numerous - were very valuable for the supervisory authority, which has always attached great importance to supporting the independence and proper performance of the DPO’s function, as well as enforcing the obligations of the administrators in this respect. At the same time - together with questions and doubts related to the status and tasks of the DPO, which the DPOs (and earlier information security administrators) had been presenting to the Polish DPA for several years, they became the basis for developing a detailed set of questions. The supervisory authority, exercising its powers, will address them to controllers and processors, both from the public and private sector:
(1) Has the controller appointed a data protection officer (DPO)?
(2) Is there an obligation on the controller to appoint a DPO (if so, on what legal basis) or has the DPO been appointed in the absence of such an obligation?
(3) Has the controller published the name, surname and contact details of the DPO on the controller's website or, if the controller has no website, in a manner generally available in the controller's place of business?
4) Is the above information available in a publicly accessible place (please indicate the place, in case of a website, indicate its address and a link to this information)?
5) Is the data protection officer an employee of the controller and if not, on what legal basis does he/she perform his/her duties?
6) Has the DPO been appointed on an exclusive basis at the controller’s or does he/she also carry out his/her duties at other controllers’?
7) On the basis of which qualifications has the controller appointed the DPO (e.g. education, experience, knowledge)?
8) What necessary resources referred to in Article 38(2) of Regulation 2016/679 does the controller provide to the DPO?
9) How does the controller provide resources to maintain the expertise of the DPO?
10) What position does the DPO hold and to whom does he/she report within the controller's organisational structure?
11) Has the controller appointed a deputy DPO, if so, when?
12) Does the controller have a DPO team or any other form of ongoing support for the DPO to perform his/her tasks?
13) How does the controller ensure that the DPO is properly and promptly involved in all matters concerning the protection of personal data (e.g., have rules been developed concerning which matters are to be consulted with the DPO, who should come forward to consult the DPO and in what situations, does the DPO participate in management meetings and on what terms)?
14) How does the controller ensure that the DPO has access to the personal data and the processing operations?
15) Has the controller adopted any internal regulations concerning the functioning of the DPO (in particular to ensure respect for the guarantees of his/her independence and his/her rights as regards access to personal data and processing operations, involvement in all matters concerning personal data protection, avoidance of conflicts of interest) and, if so, in which internal act have these regulations been provided for?
16) How does the controller ensure that no instructions are given to the DPO for the performance of his/her tasks?
17) How does the controller ensure that DPOs are not sanctioned or dismissed for carrying out their tasks?
(18) How does the controller deal with cases where the guidance or recommendations of the DPO are not followed, e.g. does he/she document the reasons for not following the guidance?
19) How can data subjects contact the DPO in accordance with Article 38(4) of Regulation 2016/679 ?
20) Does the DPO also perform any other duties or exercise any other function in addition to the duties relating to the protection of personal data, if so:
(a) what functions does the DPO fulfill and how much working time do those functions take, and how much of working time take other tasks,
(b) how has the controller assessed that for each of these tasks there is no conflict of interests as referred to in Article 38(6) of Regulation 2016/679 ?
(c) in performing the other tasks, does the DPO report to persons other than the controller's top management?
21) Has the controller developed a conflict of interests management policy or put in place another mechanism to ensure that there is no conflict of interests?
22) Does the DPO perform his/her tasks only at the controller’s seat and, if not, where and how is the DPO’s permanent availability ensured for the controller's management and staff?
23) Has the DPO developed (is he/she systematically developing) a plan of his/her work, e.g. in terms of trainings, audits?
24) Has this plan been presented to the controller to enable an assessment to be made of whether the DPO has sufficient resources and powers in the areas covered by the DPO?
25) How often and how does the DPO communicate the results of the audits carried out to the controller?
26) Has the controller requested the DPO to provide recommendations on the data protection impact assessment, and if so, in which situations?
27) Does the controller check the DPO's work, and if so, how?