Data Protection Officers
Not all organisations are legally obliged to appoint a Data Protection Officer (DPO). The law specifies three instances where the controller or the processor is legally obliged to designate a DPO. An organisation that fulfills one of the below criteria is required to appoint a DPO:
- a public authority or body; or
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and personal data relating to criminal convictions and offences.
Controller or processors that fail to designate a DPO when they are legally required to do so, will be infringing the GDPR and will be subject to the necessary corrective action.
If your activities fall within the parameters of one of the criteria listed above, you are therefore required to appoint a DPO, publish his or her details and communicate such details to the Commissioner on idpc.info@idpc.org.mt.
The necessary details which should be communicated to our Office are the following:
Name of Data Controller, Name of DPO, Mailing Address, Email Address,
Contact Number, Nature of Business, and Date of Appointment.
It is important to note that the Commissioner does neither approve nor endorse any DPO’s designation, thus this Office will only register the contact details as provided by yourself for the purpose of Article 37(7) of the GDPR. This registration is without prejudice to the Commissioner’s powers to investigate any infringements of the data protection legal framework.
Frequently questions and answers on DPOs
Can the DPO be appointed by the organisation on a voluntary basis?
Yes, a DPO can be appointed on a voluntary basis. The IDPC encourages organisations to appoint a DPO even when not legally obliged to do so as, pursuant to the accountability obligations, having a DPO can enable the organisation to effectively demonstrate compliance with the provisions of the GDPR. Also, a DPO can foster a culture of data protection within the organisation that enables the employees of the controller to be active participants in the data protection efforts.
However, once an organisation makes the decision to appoint a DPO on a voluntary basis, that organisation has the obligation to fully comply with the provisions of the GDPR, in particular, Section IV of the GDPR. This includes inter alia making available the necessary resources to enable a DPO to effectively perform his/her tasks, ensuring that any additional tasks and duties which the DPO may be required to fulfill do not result in a conflict of interests and informing the IDPC of the appointment of the DPO.
What qualifications should the DPOs have to perform his/her tasks?
The law does not specify which qualifications should the DPO have, or which training should the DPO receive to perform his/her tasks. In generic terms, the law states that the DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks of the DPO. This enables organisations to determine which qualifications should the DPO possess and decide which training the DPO should undergo based on the specific nature and business of the organisation.
The appropriate level of qualification should be determined based on a number of considerations, which include inter alia, the nature of the business processing activities, the volume of the personal data processed, the complexity of the organisational structure and the technologies used by the organisation.
The DPO should have adequate knowledge of:
- the applicable data protection legislation;
- the processing operations, the information systems, and the security measures;
- the sector in which the organisation operates;
- the administrative procedures and the functioning of the organisation;
- the IT systems, including different types of data processing technologies and their associated risks;
- the cybersecurity principles and security measures to safeguard the rights and freedoms of the data subjects.
Can the DPO be an employee of the organisation?
Yes, an organisation may decide to appoint one of its employees to act as the DPO of the organisation only insofar that the employee has the appropriate knowledge and skills to perform the tasks of the DPO.
Can the role of the DPO be outsourced?
Yes, an organisation may choose to appoint a DPO outside of its organisation. This is in accordance with article 37(6) of the GDPR which states that a DPO can be a staff member of the organisation or an individual outside the organisation. Thus, the law enables the organisation to outsource the role of a DPO on the basis of a service contract. This Office advises organisations to ensure that the service contract entered into between the organisation and the DPO should not be drafted in such a manner that the DPO is instructed as to how s/he performs his/her tasks pursuant to the GDPR. This Office recommends that the controller or processor conduct a thorough due diligence exercise before outsourcing the role of the DPO, which should involve assessing factors, such as, expert knowledge, independence, absence of conflict of interest, and the number of clients.
Can a single DPO be shared with other organisations?
Yes, a single DPO may act for a group of companies or different public authorities provided that the DPO is easily accessible.
Can the DPO be a legal person?
No, the DPO must always be a natural person.
How should an organisation communicate the DPO details to this Office as required under article 37(7) of the GDPR?
The organisation should communicate the details of the DPO by means of an email on idpc.info@idpc.org.mt
The organisation should communicate the following details: (a) the name of the controller or processor; (b) the name of the DPO; (c) the mailing address; (d) the email address; (e) the contact number; (f) the nature of business; and (g) the date of appointment. If the organisation chooses to appoint a DPO in a voluntarily manner, the organisation should also communicate the details of the DPO to this Office.
Any changes to the details of the DPO should also be communicated to this Office as soon as possible.
Are controllers and processors required to notify this Office the details of their DPO in circumstances where they are subject to the GDPR by virtue of application of Article 3(2) of the GDPR, with no establishment (physical office or legal entity) in Malta?
When article 3(2) applies, the GDPR places an obligation on controllers and, or processors to designate in writing a representative in the Union. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them or whose behaviour is monitored, are. However, it does not set out any requirements to notify supervisory authorities about the designation of representatives.
The GDPR does neither specifically provide about the communication of contact details of a DPO to a supervisory authority in cases where the controller or processor does not have an establishment in a Member State.
This Office believes that the principles set forth under Chapter 7 of the GDPR apply. The guidelines adopted by the EDPB in March 2023 on identifying a controller or processor’s lead supervisory authority explain that “the mere presence of a representative in a Member State does not trigger the one-stop-shop principle. This means that controllers without any establishment in the EEA must deal with local supervisory authorities in every Member State they are active in, through their local representative”.
Therefore, when article 3(2) and one of the criteria set out under article 37(1) apply, the controller or processor should inform this Office about the details of the DPO.
Can the representative of controllers or processors not established in the Union and appointed in terms of 27 article of the GDPR, act as the DPO of those organisations?
No, the representative of controllers or processors not established in the Union is subject to a mandate by the controller/processor and acts on its behalf, and therefore, under its direct instruction. In view of the requirement to enjoy a sufficient degree of autonomy and independence, the role of the DPO is not compatible with the function of the representative in the Union.
What information should the organisation publish in relation to the contact details of the DPO?
The contact details of the DPO should be published in the data protection policy and should include sufficient information which easily enables the data subjects to reach the DPO, in particular, when the data subjects would like to exercise any of the data protection rights held in articles 15 to 22 of the GDPR or raise a concern in relation to the processing activities of the organisation. The IDPC advises the organisation to create a dedicated email address of the DPO, and publish as a minimum, the email address and the postal address of the DPO. There is no legal requirement to publish the name and surname of the DPO.
What are the tasks of the DPO?
This Office advises organisations to have clearly defined and written description of the tasks of the DPO and the controllers/processors should work together with their DPOs to build up their roles in an appropriately comprehensive and independent way. When assigning the tasks of the DPO, the distinction between the controller/processor and the DPO should be clearly respected. For example, it is the obligation of the controller to carry out the Data Protection Impact Assessment and not of the DPO. The role of the DPO should be to provide advice in relation to the manner how the DPIA is conducted by the organisation and evaluate the outcome of the DPIA.
The tasks of the DPO should be as follows:
- acting as the contact point for data subjects and this Office;
- monitoring the processing and protection of personal data within the organisation;
- monitoring data protection in the industry or field, and reporting to the highest level of management;
- reporting on the status and needs in relation to the data protection matters to the highest level of management;
- participating in the handling of personal data breaches;
- monitoring the performance of the DPIA;
- advising on DPIA;
- training of staff in relation to data protection legislation and data protection practices;
- raising awareness and fostering a culture of data protection within the organisation;
- participating in renewal/modification of procedures in relation to personal data processing;
- drafting and maintaining of data protection policies of the organisation;
- informing/advising on data protection obligations.
Can the DPO perform other tasks than those mentioned under article 39 of the GDPR?
Yes. The role can be included as part of another position provided that the role’s other tasks and duties do not result in a conflict of interests and the DPO has sufficient time to perform all of his/her tasks as set forth in article 39 of the Act.
What are the obligations of the controller/processor when a DPO is appointed?
Controllers and processors should ensure that DPOs are given sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments, including, where relevant to their activities.
The organisations should provide the following:
Support
- Providing active support for the role of the DPO;
- Designating the DPO through an official communication addressed to all staff to ensure that the DPO’s existence and function are known throughout the organisation;
- Ensuring that the DPO is involved in good time in all relevant business planning and design processes.
Resources
- By providing the DPO with access to infrastructure (facilities, equipment, and technology) as well as financial resources and staff that are necessary to carry out his/her tasks, including adequate support, input and information if needed from other services;
- By giving the DPO full access to data and processing operations and ensuring that all staff members cooperate with the DPO.
Continuous Training
- By maintaining the expert knowledge through continuous training on data protection and learning about the latest developments, including, where relevant, to the DPO’s activities and/or purposes, on new EU digital and AI-related legislation.
Time
- By ensuring that DPO has adequate time necessary to both complete his/her tasks and to maintain his/her qualifications. Where the DPO is not appointed on a full time basis, this Office recommends that organisations should determine the percentage of time required for the role of the DPO and draw up of a work plan.
To whom should the DPO report about data protection matters?
In terms of article 38(3) of the GDPR, the DPO should directly report to the highest management of the controller or the processor (e.g., board of directors) and therefore, the DPO should be placed in the organisational structure of the controller or processor directly under the highest management. This is indeed one of the safeguards to guarantee the independence of the DPO.
The EDPB warns that the lack of regular reporting hinders the management of the organisation to receive sufficient information on data protection matters and the work undertaken by the DPO, and this undermines the DPO’s effective role under the GDPR and affects the organisation’s overall compliance.
How frequently should the DPO report to the highest management level?
While the law does not specify how frequent the reporting should be, infrequent or irregular reporting by the DPOs to the highest management level raises significant concerns about effective oversight and governance.
The frequency of the reporting depends on the size and the structure of the organisation, and the complexity of the processing operations. Given that the GDPR applies to all the organisations, there is no one-size fits all approach. For example, a large organisation is expected to report more frequently to the highest management level in comparison to a small organisation.
To this end, the IDPC encourages the controllers or processor to draft internal data protection policies and adopt best practices to define the conditions, frequency, content, and effectiveness of the direct reporting of the DPO to the highest management level. It is also a good practice for the DPO to submit an annual report to the highest management level, documenting the activities performed by the DPO.
What should the DPO do if the controller/processor makes decisions that go against the data protection legislation?
If the controller or processor makes decisions that are incompatible with the GDPR and the DPO's advice, the DPO should be given the possibility to make his/her dissenting opinion clear to the highest management level and to those making the decisions. Such direct reporting ensures that the highest management level (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. In these circumstances, it is also advisable that the DPO retains proper documentation of all the exchange of communication.
Is the DPO held responsible in case of an infringement of the data protection legislation?
No, the DPO is not held responsible in case of an infringement of the data protection legislation and data protection compliance is a corporate responsibility of the controller. Article 5(2) and article 24 of the GDPR make it clear that it is the controller, not the DPO, who is required to ensure and be able to demonstrate that the processing is performed in accordance with the GDPR. This is of course without prejudice to the professional liability of the DPO, as an employer or contractor of the controller or processor, as is the case of any other employee or contractor.
Who cannot perform the role of the DPO?
The CJEU in the X-FAB Dresden has concluded that a ‘conflict of interests’ may exist when a DPO holds a role or position within an organisation that involves determining the purposes and the means of the processing of personal data (the ‘how’ and ‘why’ of the processing), as DPOs have to evaluate, scrutinise and possibly criticise such processing independently under Article 39(1)(b) GDPR.
The Guidelines on the DPO go on to set out those positions that are typically conflicting with the role of the DPO, e.g., senior management positions, chief executive, chief operating, chief financial, chief medical officer, head of the marketing department, head of human resources and head of the IT department. It is also important to note that other roles, lower down in the organisational structure, may also be conflicting if such positions or roles lead to the determination of purposes and means of processing.
In addition, a conflict of interests may also arise, for example, if an external DPO is asked to represent the controller or processor before the Tribunal or Courts in cases involving data protection issues.
Depending on the activities, size and structure of the organisation, it can be good practice for controllers or processors:
- to identify the positions which would be incompatible with the function of DPO;
- to draw up internal rules to this effect in order to avoid conflicts of interests;
- to include a more general explanation about conflicts of interests;
- to declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement; and
- to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid conflict of interests.
What guarantees have been provided by the GDPR to maintain the independence of the DPO?
The DPOs should be in a position to perform his/her duties in an independent manner. To this end, the GDPR provides a number of safeguards to guarantee this independence, namely, the following:
- DPO's direct subordination to the highest management levels of the organisation;
- Supporting the DPO in performing his/her tasks;
- Ensuring DPO's participation in all matters in relation to data protection;
- Prohibition of issuing instructions to the DPO regarding his/her tasks;
- Prohibition of instances where the DPO has a conflict of interest;
- Prohibition of dismissing and penalising the DPO; and
- Obligation to maintain secrecy or confidentiality tasks concerning the performance of the DPO’s tasks.
How can the role of the DPO be terminated?
Article 38(3) of the GDPR states that the DPO should not be dismissed or penalised by the organisation for performing his or her tasks. However, the protection against dismissal only extends to the DPO’s performance of his or her tasks and does not apply to other circumstances which may lead to the termination of employment, such as, theft, harassment etc.