Effective designation of a DPO a necessary condition for effective data protection
The President of the Personal Data Protection has imposed a PLN 25,000 administrative fine on the District Building Control Inspector in Częstochowa for failure to designate a Data Protection Officer and, consequently, failure to publish his contact details and to notify the supervisory authority of these details.
The obligations to effective designation of a Data Protection Officer are incumbent on the controller under Articles 37(1)(a) and 37(7) of the GDPR. Under these provisions, public authorities or entities (with the exception of courts in their administration of justice), are required to designate a Data Protection Officer, publish his or her contact details and notify the supervisory authority.
The District Building Supervision Inspectorate (PINB), as part of the proceedings proceeding initiated by the President of the Personal Data Protection Office, submitted a copy of the personal files of two persons who, in its opinion, had previously performed the function of the DPO at the PINB in Częstochowa, in the form of:
- a certificate of completion of the personal data protection training for the Data Protection Officer,
- information clause on personal data processing,
- authorization to process personal data in traditional and IT system,
- an order on the introduction of Security Policy for personal data processing in the District Building Supervision Inspectorate,
- the scope of activities to perform the function of the DPO on the basis of the verbal order of the Controller.
In the opinion of the President of the Polish SA, the expressions appearing in the above-mentioned documents can only indirectly prove that the function of the DPO within the controller's structure is performed by the persons indicated therein. They do not prove that there has been an effective designation to the position of DPO. The holding of the function of DPO on the basis of a verbal instruction from the controller does not constitute its effectiveness.
In order to demonstrate the effectiveness of such a designation before the supervisory authority, the controller should strive to ensure that the legal act (e.g. internal regulation, resolution, delegation of duties) or the contract with the person who is to perform the function of DPO clearly indicate the designation of a specific person to be a DPO. For evidentiary purposes, it is essential that they are also in writing. It is also necessary that the responsibilities are precisely assigned to him/her in accordance with the provisions of Articles 38 and 39 of the GDPR.
In the case of the PINB in Częstochowa, the controller complied with the formalities and effectively designated a specific person to act as the DPO only on 4 March 2024, which is after the Polish SA's proceeding. The following day, he notified the President of the Personal Data Protection Office. However, by the date of the decision (18 October 2024), he had not published the contact details of the aforementioned person. Currently, the contact details of the DPO are published on the controller's website.
The effective designation and publication of the DPO's data constitutes an important guarantee for the personal data protection of data subjects. This is due to the very role of the DPO and the wide range of tasks assigned to him/her under Articles 38 and 39 of the GDPR.