Companies concerned
Duties. The data protection officer will be a person who will be responsible for informing and advising the company on its data protection obligations, as well as supervising compliance and acting as an interlocutor with the Spanish Data Protection Agency (AEPD).
On a large scale. However, not all companies must appoint such a delegate, only those that carry out large-scale processing of specially protected data must do so, whether they do so as data controllers or as data processors (i.e., if they receive the data in order to provide a service to the data controller). For example, financial companies, health care institutions, insurance companies, educational establishments, etc.
Designation of the DPO
External or in-house. If your company is obliged to have a DPO, you can appoint an external person (e.g. a consultant). Another option is to appoint an in-house employee. In this case, please note:
- Your employee should have technical knowledge (not necessarily a lawyer) and experience in data protection.
- Your company must guarantee the independence and impartiality of the DPO. Attention! This means that the DPO must act freely (he/she cannot take instructions).
- It must also provide him with the necessary resources to carry out his duties (e.g. data protection training).
In practice. In practice, the DPO will be an employee in a position of trust within his or her company (because of his or her access to management and the autonomous exercise of his or her functions).
Employment implications
Protected. If the DPO is an employee of your company, although he/she will not have the guarantees of workers' representatives, he/she cannot be sanctioned or dismissed for carrying out his/her work as a delegate, unless he/she acts with gross negligence or malice.
In writing. Also, reflect your employee's designation as DPO in writing:
- Since you must maintain secrecy in the performance of your duties, regulate your duty of confidentiality in the document.
- If the workload as DPO will prevent him/her from continuing to perform his/her previous duties normally, regulate a redistribution of his/her tasks. For example, that he/she will keep his/her previous position at a rate of 75% of the working day, and that the remaining 25% of the working day will be spent as DPO.
- This document will also serve as proof that the person concerned accepts the appointment.
Your company must have a DPO if it processes sensitive data on a large scale. If so, you may either hire an external DPO or appoint an employee. In the latter case, you should put the designation in writing.