Resource created by Fabio Cassanelli, Co-founder & GDPR Consultant at Argo Business Solutions
When is the appointment of a DPO mandatory?
The Data Protection Officer (DPO) is a role introduced by Article 37 of Regulation (EU) 2016/679 GDPR. It is an individual, a natural person internal or external to the organisation or a legal person, appointed by the data controller or processor to perform support and control, advisory, training and information functions in relation to the application of the GDPR.
His or her contact details must be mandatorily nominated to the Data Protection Authority by following a specific online procedure.
But are startups mandatory to appoint a DPO?
According to Article 37 of the GDPR, the controller and the processor must systematically appoint a data protection officer if:
- the processing is carried out by a public authority or a public body;
- the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require the regular and systematic monitoring of data subjects on a large scale;
- the core activities of the controller or processor consist of the processing, on a large scale, of special categories of personal data referred to in Article 9 or of data relating to criminal convictions and offences referred to in Article 10.
The particular data are those revealing ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health or sex life.
Does my startup need a DPO?
The correct answer is: it depends.
If the startup performs processing operations that enable the monitoring of data subjects on a large scale or special and judicial data are processed on a large scale, it absolutely must appoint a DPO.
However, even if the startup does not fall into the above-mentioned categories, if there are no adequate privacy and data protection skills among the founders or staff, our advice is to provide for the appointment of the DPO as one of the preliminary steps. In fact, even in cases where the Regulation does not strictly impose the appointment of a DPO or DPO, an appointment on a voluntary basis is still possible.
The DPO will support the startup in the application of the principles of privacy by design and by default , and help it with all the other tasks required by the GDPR. In addition, the DPO will be able to interface with investors, providing them with all information to demonstrate the startup's GDPR compliance.
Beware of Conflicts of Interest
Although the DPO is allowed to hold other positions within the company and perform other tasks, it is very important that no conflicts of interest with the startup company arise. In fact, since the Data Protection Officer must fulfil the requirement of independence, he/she may not be one of the founders or hold a 'senior or middle management' position such as chief executive, chief operating, chief financial, chief medical officer, marketing directorate, human resources directorate or IT directorate.
If it is decided to appoint as DPO a figure from outside the organisation (this can be either a natural person or a legal entity), it is incompatible with the independence requirements to assign the task to persons who, in rendering services in the interest of the owner, might be in a position of conflict of interest such as IT service providers, software houses, etc.
We trust you enjoyed this resource and that it has given you the tools you need to tackle GDPR for your startup! If you missed them or need to catch up on other information, read the first two parts of the resource.