Does the obligation under Article 38(2) of the GDPR apply to a controller with an external DPO?
Does the obligation set forth in Article 38(2) of the GDPR to "provide the DPO with the resources necessary to maintain his or her expert knowledge" apply only to the employed DPOs, or also to those who perform their tasks under a service contract?
The function of a DPO is a specialty that requires constant commitment to professional development. The methods and technologies used to process and ensure the security of personal data, as well as the growing number of regulations and their amendments, mean that knowledge of data protection law and practices must be constantly updated.
The tasks imposed on officers in the GDPR are difficult, and their performance requires special substantive preparation. As the Article 29 Working Party points out in the Guidelines on Data Protection Officers (WP243 rev.01), the officer plays a key role in fostering a "culture of data protection" within an organisation and helps to implement the necessary elements of the GDPR, including the principles of personal data processing, data subject rights, data protection by design and data protection by default, register of processing activities, processing security requirements and personal data breach notification.
For the above reasons, the EU legislator imposed an obligation on the controller and processor in Article 38(2) of the GDPR to support the DPO on an ongoing basis by providing him or her with the necessary resources to perform his or her tasks and access to personal data and processing operations, as well as the resources necessary to maintain his or her expert knowledge. This obligation applies both to situations where the DPO is a controller's employee and to DPOs performing their tasks under their service contracts.
The GDPR does not prejudge what specific resources and how specifically the controller (processor) - using the support of a DPO - should provide in order to comply with the obligation set forth in Article 38(2) of the GDPR. In light of the GDPR, a DPO's professional qualification includes not only expertise in data protection law and practices, but also the ability to fulfill the tasks referred to in Article 39. It is therefore worthwhile for an assessment of what resources are necessary to maintain the DPO's qualification to take both of these elements into account.
The Guidance for data protection officers in the public and quasi‐public sectors on how to ensure compliance with the European Union General Data Protection Regulation indicates that an organisation should ensure that its DPO can continue to maintain and enhance her or his expertise, also after their appointment, by attending relevant courses and seminars (p.129).
The WP29 in its Guidelines on the Data Protection Officer (WP243 rev.01) indicated that the officer’s level of expertise must be commensurate with the with the sensitivity, complexity and amount of data an organisation processes. For example, in the case of exceptionally complex processing of personal data or in the case of processing a large amount of special categories of data, the officer may need a higher level of expertise and support. For this reason, the Article 29 Working Group advocated a broad understanding of resources and pointed out, among other things, the need for ongoing training for the DPO, ensuring that he or she can continually update his or her data protection knowledge. The officers should be encouraged to participate in training courses, workshops, forums on data protection to increase their knowledge. As a rule, the more complex the data processing, the more resources should be allocated to the DPO. Personal data protection must be effective and requires sufficient resources appropriate to the scope of data processing.
Recital 97 of the GDPR clarifies that the necessary level of expertise must be determined in particular in light of the processing operations carried out and the protection that the processed personal data require. Thus, if the inspector's level of expertise must be appropriate to "the processing operations carried out and the protection required by the personal data being processed" and is to be maintained at that level (Article 38(1) of the GDPR), the amount and type of resources devoted to ensuring that the officer is properly qualified must be selected on a case-by-case basis and with the above criteria in mind.
In the case presented, i.e., where an officer performs tasks on the basis of a service contract, issues related to the provision of resources to maintain the expertise of the DPO should be carefully determined by the parties to the contract when concluding (or possibly renegotiating) the contract, so as to ensure compliance with the aforementioned Article 38(2) of the GDPR and the principle of accountability (the controller should be able to demonstrate that it has properly fulfilled its obligation).
These arrangements should refer to what kind of measures these will be, how they will be provided. Such careful drafting of the contractual provisions regarding the obligations of the parties to the contract contributes to the achievement of the contract's objectives and its realistic performance.
When constructing the content of the agreement, the principle of freedom of the parties in determining their mutual rights and obligations applies, but it is nevertheless limited by the requirements of the data protection legislation. The solutions adopted by the parties related to the provision of resources for maintaining the expertise of the DPO should take into account a number of criteria, such as: the current state of the DPO's expertise and the ways in which it has been updated to date, the specifics of the processing carried out by the controller related to the type and scope of its activities, the complexity and number of data processing operations, the technical means used and their degree of complexity, and the current needs for compliance with legal requirements and practices in the field of personal data protection.
The officer’s further training translates into an increasingly higher level of expertise and the quality and efficiency of his or her work. This undoubtedly brings benefits to the management and processors of personal data at the controller (processor), who - supported by a properly qualified officer - are able to meet the requirements imposed on them by law and internal regulations and minimise the errors they make.