Responsibility of the data protection officer in the field of personal data protection
In monitoring internal compliance with data protection law, the controller or processor should be assisted by a person with expertise in data protection law and practices (as per Recital 97 of the GDPR preamble).What is the responsibility of the data protection officer for irregularities in the field of personal data protection? We answer below.
Does the compliance facilitator have to be a data protection officer?
The data protection officer may or may not be the person assisting the controller with respect to compliance with the provisions related to the protection of personal data. The entrepreneur therefore has several options to choose from, such as:
appointing an employee to perform a supporting role without granting him the status of a data protection officer;
appointing an employee to act as a data protection officer;
ordering a natural person who is not currently an employee of the administrator to perform a supporting role without granting him the status of a data protection officer (e.g. in the form of a mandate contract);
ordering a natural person who is not currently an employee of the administrator to act as a data protection officer (e.g. in the form of a mandate contract);
using the services of consulting companies without entrusting the formal role of a data protection officer;
using the services of consulting companies by entrusting an external company with the duties of a data protection officer,
taking over by himself, as the data controller, all obligations related to the protection of personal data.
There are situations where the data controller has limited choice and is forced to appoint a data protection officer. The appointment of an inspector is necessary when:
- personal data are processed by a public authority or entity;
- the main activity of the organization is the large-scale processing of data which, due to their nature, scope or purposes, require regular and systematic monitoring of data subjects;
- the organisation's activities are based on the large-scale processing of special categories of personal data as well as data on criminal convictions and offenses.
A data protection officer may be a person with appropriate professional qualifications, in particular professional knowledge of the law and practices in the field of data protection and the ability to fulfill the tasks imposed by law. Therefore, when there is a need to appoint an inspector, the data controller must use option 2, 4 or 6
Who is responsible for non-compliance with the provisions related to the protection of personal data?
There is no doubt that the data administrator bears full responsibility for irregularities related to the processing of personal data. Liability may take various dimensions, i.e. administrative, civil, and in extreme cases even criminal. The most common type of liability is administrative liability, with the possibility of imposing a fine of up to EUR 20 million or up to 4% of the company's total annual worldwide turnover in the previous financial year (whichever is higher). The reason for the imposition of an administrative sanction may be, for example:
processing of personal data contrary to the principles of the GDPR (e.g. the principle of data minimization, accuracy, purpose limitation, etc.);
processing of personal data without a legal basis;
failure to comply with the terms of consent to the processing of personal data (e.g. the condition of voluntary consent);
failure to meet the conditions for the processing of special categories of personal data (e.g. data on health, religion, sexual orientation);
failure to fulfill the obligation to exercise the rights of the data subject (e.g. the information obligation, the right to access data, the right to rectification);
irregularities in the transfer of personal data to third countries or international organizations.
In addition, in accordance with the GDPR, damages that a person has suffered as a result of processing in a manner that violates the provisions of the Regulation should be entitled to compensation from the controller or processor. The controller or processor may be relieved of legal liability if they prove that the damage was in no way caused by their fault. The concept of damage should be interpreted broadly, i.e. it can be directly related to both material and non-material losses (e.g. image, personal rights, etc.).
Can the personal data controller hold the data protection officer liable for damages related to improper data processing?
As indicated above, the responsibility of the personal data controller is clear and often has severe consequences. There may be situations where these (most often financial) consequences will be caused by failure or improper performance of duties by a person acting as a data protection officer. In such situations, the controller may charge a person who did not properly perform the role of data protection officer. The scope of this responsibility will depend on the legal relationship between the administrator and the inspector.
Start a free 30-day trial period with no strings attached!
Responsibility of the data protection officer who is the administrator's employee
The responsibility of the data protection officer, who is also an employee of the administrator employed under an employment contract, is based on the provisions of the Labor Code. Pursuant to Art. 114 an employee who caused the employer damage due to non-performance or improper performance of employee duties, shall be financially liable. The terms of "non-performance or improper performance" will include acts or omissions, such as:
failure to inform the administrator about an important obligation which results directly from the provisions of law,
concealing from the administrator an important fact regarding the personal data protection system.
An important aspect in the context of possible liability is the aspect of guilt. The Labor Code makes the scope of employee liability conditional on whether it was an unintentional or intentional fault. In the first case, the amount of compensation is determined in the amount of the damage caused, but it cannot exceed the amount of three months' remuneration due to the employee on the day of the damage. In the second case, there are no limits to the amount of possible compensation, which means that the employee may bear full financial liability. In practice, determining the type of fault or finding fault at all may turn out to be problematic. The burden of proof in this regard rests with the employer.
The employee designated as the data protection officer did not inform the administrator about the need to fulfill the information obligation towards his clients. As the company processes personal data on a large scale, the President of the Personal Data Protection Office, following a customer's complaint, imposed a fine on the controller in the amount of several dozen thousand zlotys.
Option A - no fault of the DPO
If it turns out that the employee has been indicated against his will as the data protection officer, despite the total lack of preparation for performing this function, and additionally he has not been provided with training and appropriate working conditions (e.g. independence and sufficient time to fulfill the DPO), no there should be an employee's fault. Consequently, it cannot be held responsible.
Option B - DPO fault
The situation will be completely different if, for example, it turns out that an employee designated as a data protection officer has been employed directly for the position of DPO, and has demonstrated appropriate experience and knowledge in the field of data protection during the recruitment process. In addition, the inspector's situation will be aggravated by the fact that he had the resources and opportunities to perform the role of DPO. In this variant, the fault of the inspector will be obvious. The amount of the possible claim of the data controller will depend on whether he will be able to prove to the inspector intentional or unintentional guilt.
Apart from the regulations described above, it should be mentioned that pursuant to Art. 121 of the Labor Code, compensation for the damage may take place on the basis of an agreement between the employer and the employee. In such a situation, the amount of compensation may be reduced taking into account all the circumstances of the case, and in particular the degree of the employee's fault and his relation to employee duties. Direct arrangements regarding liability rules between the employer and employee are also not excluded. However, these arrangements can only take a form that is more favorable to the employee, i.e. they cannot tighten the employee's responsibility in relation to the principles adopted in the Labor Code.
Responsibility of the data protection officer carrying out the order for the data controller
A solution often used by entrepreneurs is to outsource the functions of a data protection officer to specialists in this field or companies that provide consulting and training in the field of data protection. In such a situation, a contract for the provision of services is concluded. Pursuant to the provisions of the Civil Code, the parties concluding the contract may arrange the legal relationship at their discretion, as long as its content or purpose does not contradict the properties (nature) of the relationship, the law or the principles of social coexistence. In connection with the above, also the rules of liability may be specified in the contract.
If the agreement between the controller and the data protection officer does not contain detailed regulations on liability, the inspector's liability will be very broad (covering not only actual damage, but also lost profits), unless the damage is a consequence of circumstances for which the inspector is not responsible (e.g. external factors beyond the control of the inspector). Most companies dealing with the protection of personal data introduce limitations of liability into their contracts. This is a point that requires careful analysis, as in the event of damage it will condition the possibility of obtaining compensation from the company providing services as a data protection officer.