With a decision dated 1 April 2020, the Spanish Data Protection Authority (hereinafter, the “Agencia Española Protección Datos” – “AEPD”) sanctioned a Spanish company doing business in the home delivery sector following the relevant online booking, used by thousands of customers, due to the failure to designate a Data Protection Officer (hereinafter, the “DPO” or the “Head of Data Protection”) pursuant to Article 37 of Regulation (EU) 2016/679 on personal data protection (hereinafter, the “Regulation”).

One of the new developments introduced by the Regulation is the role of the DPO. Indeed, Articles 37, 38 and 39 include provisions in connection (i) with the designation of the DPO (ii) with the position held by such role within an organisation and (iii) with the reference as to the minimum duties to be assigned thereto in light of the nature, scope of application, context and aims of the processing carried out by the Data Controller or by the Data Processor.  

However, if we stick to a literal interpretation of the Regulation, not all Data Controllers or Data Processors are under an obligation to designate any such role.

The above-mentioned line of interpretation arises out of the content of Article 37, based on which it is necessary to designate a DPO in any case where: “(i) the processing is carried out by a public authority or body (…)”, “(ii) the core activities (…) consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”, or (iii) “the core activities (…) consist of processing on a large scale of special categories of data (…) or personal data relating to criminal convictions (…).

From the very first interpretation of the Regulation, such cases have started considerable debate with the corresponding different stances on the side of law scholars. The expressions “large scale” “regular monitoring of data subjects on a large scale” are rather vague and, often, in the actual implementation of the Regulation, they may bring about interpretative doubts.

In this respect, the decision of the AEPD at issue is not only significant because it includes one of the first sanctions inflicted as from the entering into force of the GDPR following the ascertainment of the failure to designate the DPO, but also and moreover, because it constitutes a precedent in the definition and demarcation of the “large scale” concept. Indeed, the Spanish Authority emphasises the numerical significance of the data subjects affected by the processing as a necessary condition in order to ascertain the vague large scale concept.

Within our domestic scope, notwithstanding the rules under the Regulation, the Italian Data Protection Authority has clarified that it is also possible to designate a DPO even in those cases not falling within those imposed by the Regulation. Indeed, in light of any such clarification, it is good practice to accurately ground and document the reasons why the Data Controller, or the Data Processor, have made the decision to identify any such role or not.

Finally, we would like to recall that infringements of the obligations under the aforesaid Articles 37, 38 and 39 of the Regulation entails, pursuant to Article 83(4) of any such Regulation to the infliction of an administrative fine up to Euro 10,000,000.00 or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.

Others insights related:

FAQs of the Data Protection Authority on the Data Protection Officer of Personal Data

DO YOU KNOW THAT.. The GDPR has introduced the DPO?