Is the head of the registry office a controller and is obliged to designate a DPO?
In the local government unit where I serve as the DPO, the mayor has hired another person as the head of the registry office. In such a situation, is the head of the registry office the controller of the personal data he or she processes? If the head of the registry office is the controller, another question that comes to my mind is whether he or she is obliged to designate a data protection officer? My doubt stems from the fact that the Act of 10 May 2018 on the Protection of Personal Data, in Article 9, indicates that public authorities and bodies obliged to designate the officer, referred to in Article 37(1)(a) of the GDPR, shall mean: entities of the public finance sector, research institutes, the National Bank of Poland. Another question relates to the form in which the designation of the DPO by the head of the registry office should take place?
In response to the first question, it should be noted that the Act of 28 November 2014. - Law on Civil Status Records explicitly specifies who carries out the objectives of the Act, in that the head of the registry office has been obliged by law to perform civil status registration activities (Article 9 of the Law on Civil Status Records). Therefore, it should be considered that it is the head of the registry office who is the controller, regardless of whether, in a particular situation, this function will actually be held by a municipal authority - the village mayor (mayor, president of the city) - or by another person designated for this function by the village mayor (mayor, president of the city) pursuant to Article 6(4) or (5) of the Law on Civil Status Records.
On the other hand, with regard to the question concerning the possible obligation of the head of the registry office to designate a data protection officer, it should first be stated that, in view of the wording of Article 9 of the Act of 10 May 2018 on the Protection of Personal Data, which is a provision of national law that establishes the direction of interpretation in the Polish legal system of the term "public authority or entity" used in Article 37(1)(a) of the GDPR, it cannot be assumed that the obligation to designate a data protection officer for the head of the registry office stems from the premise listed in Article 37(1)(a) of the GDPR. However, it is worth bearing in mind that even in the absence of such an obligation, the controller - the head of the registry office - may voluntarily designate such an officer.
At the same time, it should be recalled that Article 37(3) of the GDPR allows several controllers to designate a single data protection officer, but taking into account their organisational structure and size. It should be noted, however, that the use of such a solution requires a careful analysis of whether the designated person will be able to properly fulfill all of his or her duties in relation to each controller. The assessment of this issue depends on a number of factors, including but not limited to: having an appropriate amount of time at his or her disposal for the scope of tasks and the specifics of data processing, the need to avoid conflicts of interest, and the size and organisational structure of the entity that is the controller. At the same time, one should be aware that many of the duties of DPOs provided for in the GDPR require constant commitment to the controller who designated the officer, as well as the so-called "effective availability" of the officer to the organisation’s staff. This is because the tasks of the DPO include, for example, ongoing monitoring of the compliance of personal data processing with the law and providing information and advice on the obligations under the law, as well as acting as a contact point for data subjects and the supervisory authority. In view of this, the decision regarding the selection of a suitable person to serve as a DPO must be made by the controller with full awareness of his or her responsibility for the proper implementation of his or her obligations under the law. (For more information, see the Article 29 Working Party's Guidelines on Data Protection Officers (WP 243) and the Office's website under the Data Protection Officer tab, e.g., at the following link: https://uodo.gov.pl/pl/223/658).
Thus, in the event that the mayor and the head of the registry office designate the same person as their DPO, they should jointly establish rules for ensuring that such an officer has sufficient time to perform his or her duties, help create a plan for his or her work, and, if necessary, support his or her functioning with a team of relevant specialists.
Please be advised that the designation of a person other than the village mayor (mayor, president of the city), who is a separate controller, to hold the function of head of the registry office does not necessarily mean that data protection procedures and policies for processing in this area need to be created in a separate document. Indeed, a single documentation can regulate data protection issues pertaining to controllers existing within the same entity.
It is also worth remembering that if the head of the registry office decides to designate an officer, he or she, as the controller, should make the designation, as well as notify the President of the Office of the designation.
Regarding the question of the form of the act of designating an inspector, it should be noted first of all that the provisions of GDPR and the Act on the Protection of Personal Data do not contain detailed regulations in this regard. In view of this, the decision on this issue is up to the controller. However, taking into account the principle of accountability, according to which the controller must be able to demonstrate compliance with the regulations on personal data protection, which in practice most often means documenting all processes related to the protection of personal data, the controller should choose a form that will allow it to demonstrate in particular: when and whom it designated to perform such a function.