Before answering the first question posed, it is useful to know some differences between a Data Protection Officer ("DPD" or "DPO" in its acronym in English, which stands for "Data Protection Officer") and a lawyer. Well, the difference lies in the fact that the DPD exercises an independent role, and offers a multidisciplinary vision beyond mere legal advice. In the following sections, we will answer the first question posed, knowing more precisely those cases in which a DPD must be appointed, the functions performed by the DPD, as well as the relationships of the DPD with the different agents, both inside and outside the organization.
Let's start. The DPD is a new figure introduced by the data protection regulation to ensure compliance with it in an entity. It can be either a natural person or a legal entity, as long as it coincides in a profile of data protection expert and also has specialized knowledge in law, although it is not necessary for it to be a lawyer.
Next, after this first approach, it is now necessary to know in which cases it operates, and therefore, to know if its designation is necessary. According to the law, the appointment of a DPO is mandatory when: (i) the processing is carried out by a public body; (ii) the processing operations involve the processing of large amounts of personal data on a "large scale"; or (iii) the processing operations involve the processing of special categories of personal data on a "large scale" (e.g., health, genetic or biometric data).
In view of the above, if one of the three cases is present, then such designation will be mandatory, regardless of other aspects such as the size of the company or its sector of activity, among others. Thus, without going into the designation aspect, it should be added that the designation must publish the contact details of the DPO, in order to clearly establish the point of contact between the entity and the interested party; and, in addition, the appointment, renewal and termination of the DPO must be communicated to the competent supervisory authority (e.g. www.aepd.es).
So, whether we are obliged to do so or not, if we want to appoint a DPD, he/she must, as a minimum, perform the following functions within your organization: (i) inform and advise on the obligations arising from the data protection regulations, with a multidisciplinary vision beyond the merely legal aspects (e.g., privacy by design and by default); (ii) supervise compliance independently (e.g., internal auditor), raise awareness and train staff in data protection; (iii) advise on the Impact Assessment on data protection. privacy by design and by default); (ii) independent compliance monitoring (e.g. internal auditor), data protection awareness and training of staff; (iii) advice on personal data protection impact assessment; (iv) cooperation with the competent supervisory authority; and, (v) serving as a point of contact with the supervisory authority.
In short, our recommendation is that you should be well informed about this new figure, know about it, and more importantly, that when choosing the DPD, the employer, whether in his capacity as data controller or data processor, should make sure of his knowledge of data protection; for a simple reason, since a bad practice of the DPD could entail risks of non-compliance, as well as create obstacles that prevent or delay the activity of the company, and even the innovation of the organization. Thus, according to Article 83.4 of the RGPD, such non-compliance may result in infringements considered serious and are subject to a statute of limitations after two years, carrying penalties of up to 10 million euros, or amounts equivalent to 2% of the total annual turnover of the company.
If you have any doubts or consider that you need a data protection officer, we will be more than happy to help you in this regard.