The Data Protection Commission (DPC) has completed its ‘own volition’ inquiry into whether the Department of Employment Affairs and Social Protection interfered with the role of its Data Protection Officer (DPO). The inquiry concerned the process leading to the amendment of the Department’s Privacy Statement on 6 July 2018. The DPC examined whether the Department’s DPO was involved in a proper and timely manner in the process (as required by Article 38(1) of the GDPR); and whether the DPO received instructions regarding the exercise of his tasks (contrary to Article 38(3) of the GDPR). The DPC concluded that the Department had not breached Articles 38(1) or 38(3) of the GDPR.
On 4 July 2018, the Department received a media query in relation to the reference to biometric data in its Privacy Statement. This query set off a series of internal email threads and discussions within the Department on 5 July 2018, questioning the reference to biometric data. The DPO was on annual leave that day, but replied to emails and had a number of phone calls on the issue throughout the day. On 6 July 2018, the Department amended its Privacy Statement and removed the only reference to its processing of biometric data from the Statement.
Following publication of the amended Privacy Statement, Digital Rights Ireland (DRI) made a complaint to the DPC (on behalf of an individual) alleging “a serious interference with the independence of the DPO” in the Department in violation of Article 38 GDPR. The DPC subsequently commenced an ‘own volition’ inquiry into the Department to determine whether it had interfered with the role of its DPO. The question of whether the Department complied with its transparency obligations under the GDPR, when removing the reference to biometric data in the Privacy Statement, was outside the scope of the inquiry.
In making its decision, the DPC examined the thread of internal emails and discussions within the Department from 4-6 July 2018; considered the broader context and factual background in which the amendment occurred; conducted a voluntary interview with the DPO who held the position at the relevant time; and took into account written statements by the Department’s Secretary General and DPO.
In his interview and statement, the DPO made it clear that despite being on annual leave on 5 July 2018, he was in continuous contact with the office about the amendment to the Privacy Statement. He confirmed that he was “entirely satisfied that the views of the DPO were included in the overall consideration of the matter by the Secretary General”. The DPO further asserted in his statement: “There is no evidence that the opinion of the DPO was not given due weight. The Secretary General wrote several emails where he clearly documented the reasons for not following the DPO’s advice”. The DPO also stated that he could “clearly and categorically confirm that [he] did not receive any instructions from the Secretary General or any Assistant Secretary, in this matter”.
(i) Article 38(1) – What does proper involvement in a timely manner require?
Article 38(1) GDPR requires controllers and processors with a designated DPO, to ensure that the DPO is “involved properly and in a timely manner” in all issues relating to the protection of personal data. The DPC was satisfied that the Department’s amendment to its Privacy Statement was an issue that related to the protection of personal data, and it was therefore necessary for the DPO to be properly involved. The DPC noted that the GDPR does not expressly define what constitutes “involved properly“, and in those circumstances one must have regard to the context, objective and purpose of Article 38(1) in light of the GDPR as a whole. In doing so, the DPC stated that “it is clear that proper involvement goes beyond requiring that the DPO is informed of issues relating to the protection of personal data. Proper involvement requires a consultative role in which the DPO must have an opportunity to make a meaningful contribution on the issue in question, and in which the controller or processor must give due weight to any advice rendered”. However, the DPC noted that the opportunity to make a meaningful contribution “does not bestow a decision-making role on the DPO beyond their tasks pursuant to Article 39“. On the contrary, the controller is responsible for making decisions on measures implemented to ensure compliance with the GDPR. Controllers may therefore accept or reject any advice rendered by the DPO.
The DPC further highlighted that the obligation to involve the DPO “in a timely manner” requires that the DPO must be involved at a point in time in which the organisation is deciding its course of action in respect of the data protection issue. It is not sufficient for the DPO to be involved after the organisation has made its decision, in a binary approval/disapproval role. It also requires that all relevant information necessary for the DPO to advise on that data protection issue must be provided at a point in the timeline that enables the DPO to make a meaningful contribution.
(ii) Article 38(3) – To what extent can a controller instruct a DPO as part of its ordinary employment relationship?
The DPC noted that the obligation in Article 38(3) to ensure that the DPO does not receive any instructions regarding the exercise of “those tasks” structurally relies on the preceding sub-article. Article 38(2) makes clear that the tasks referred to in Article 38(3) are the “tasks referred to in Article 39”. This ensures the independence of the DPO when carrying out those tasks. However, the DPC stated that it is not the purpose of Article 38(3) to prohibit all possible instructions that may be given to a DPO as part of an ordinary employment relationship. Article 38(3) clearly prohibits a controller from instructing the DPO to interpret the law in a particular manner or to arrive at a particular conclusion in their advice. However, where a controller disagrees with the DPO’s independent and autonomous advice, the GDPR does not prevent that controller from providing instructions to the DPO in relation to implementing the controller’s preferred approach once those instructions do not relate to the Article 39 tasks. On the contrary, it is entirely proper for the DPO to be involved in implementing the controller’s decision.
(i) Compliance with Article 38(1) GDPR
The DPC concluded that the Department involved their DPO, properly and in a timely manner, in the process of amending the Department’s Privacy Statement. Therefore, the Department did not infringe Article 38(1) of the GDPR.
The DPC stated that it was clear that the Department did not simply inform the DPO of the media query in a trivial way, but rather consulted the DPO and his team with the purpose of inviting “a meaningful contribution” in developing the Department’s course of action. The Department informed the DPO of the original media query soon after receiving it, and was the only official included on all of the pertinent emails on 5 July 2018. Although it was significant that the DPO was on annual leave on 5 July 2018, the DPC said that that fact alone does not provide a full picture of the DPO’s involvement throughout the day. The DPO sent three emails on the issue over the course of the day, and was also in continuous contact with the GDPR/DPO Unit Official. At no point did the DPO suggest that the Department should postpone the question of amending the Privacy Statement until his return from annual leave the following day. In addition, in his interview with the DPC and in his statement submitted to the DPC, the DPO consistently maintained that he was involved in the consideration of the issue throughout the day. In both the interview and the statement, the DPO stated his view that he was involved in a proper and timely manner in the amendment to the Privacy Statement.
In considering whether there was an infringement of Article 38(1), the DPC said it was also necessary to have regard to any involvement of DPO team members working under the direct supervision of the DPO. The facts established that the DPO maintained contact with his team throughout the day, and supervised the advice provided by the GDPR/DPO Unit Official in respect of the amendment to the Privacy Statement. The DPC was therefore satisfied that the DPO had an opportunity to make a meaningful contribution to the amendment to the Privacy Statement, and the GDPR/DPO Unit Official also exercised that opportunity under the DPO’s supervision.
Although the Secretary General rejected an amendment proposed by the GDPR/DPO Unit Official, that would have maintained a reference to biometric data in the Privacy Statement, the DPC stated that the Secretary General was entitled to do this because Article 38(1) does not oblige controllers to follow any advice rendered. The DPO and his team were included on the Head of Communication’s email to the Secretary General with the new proposed amendment, which would result in a blanket removal of the reference to biometric data. The DPC said that the facts established that the DPO actively decided not to contribute to the issue any further at this point. The DPC was satisfied that the DPO’s decision not to advise further could not give rise to an infringement of Article 38(1). In the DPC’s view, that provision leaves discretion with DPOs to decide on the form and content of any advice that they may give, and to decide on the question of whether to provide advice in the first place. The DPC was also satisfied that the Secretary General gave due weight to the advice rendered by the DPO and the GDPR/DPO Unit Official.
Involvement in a timely manner
In determining whether the DPO was involved in a timely manner, the DPC considered whether the DPO was involved at a point in time in which the Department was deciding its course of action in respect of the Privacy Statement. The DPC also considered whether the DPO had access to all relevant information at a point in the timeline that enabled the DPO to make a meaningful contribution. In the circumstances, it was clear that the DPO was involved in a timely manner. The Department received the press query on the evening of 4 July 2018 and the Press Office included the DPO on their first request for a draft response the following morning. As outlined above, the DPO was also included on all pertinent emails throughout the day, including when the Department formulated its first response, and the later revised amendment. The DPO’s interview with the DPC further confirmed that the DPO was substantially involved in the amendment to the Privacy Statement throughout the day.
(ii) Compliance with Article 38(3) GDPR
The DPC was satisfied that the Department did not provide any instructions to the DPO regarding the exercise of the tasks referred to in Article 39 of the GDPR in respect of the Department’s amendment to its Privacy Statement. Therefore, the Department did not infringe Article 38(3) of the GDPR.
As noted above, the DPC stated that it is not the purpose of Article 38(3) to prohibit all possible instructions that may be given to a DPO as part of an ordinary employment relationship. Therefore, the DPC found that the Secretary General was entitled to send his email to the DPO, on 5 July 2018 asking him to “check the rest of the GDPR info and privacy statement to make sure that we don’t refer to collection of biometric data.” The DPC stated that this instruction did not concern the DPO’s task of advising the Department of its obligations under data protection law. The Secretary General made this instruction having considered the advice rendered earlier in the day. The instruction did not preclude the DPO from providing further advice and it did not instruct the DPO as to how he should advise the Department in the future. The Department, as the entity accountable for complying with the GDPR, is ultimately responsible for making decisions on measures implemented to ensure, and to be able to demonstrate, compliance with the GDPR. Therefore, the Secretary General is entitled to make decisions regarding the content of the Privacy Statement.
This is the DPC’s first statutory inquiry into a controller’s compliance with its obligations under Article 38 of the GDPR. It provides some helpful guidance on what constitutes proper and timely involvement of the DPO in data protection issues, and the extent to which a controller can give instructions to the DPO as part of the ordinary employment relationship, whilst ensuring compliance with Article 38(3).
The decision highlights the importance of ensuring the DPO is involved in all data protection issues at the earliest stage possible; providing the DPO with an opportunity to make a meaningful contribution on such issues; giving due weight to the DPO’s advice, and documenting any reasons for not following such advice.
We will likely see further regulatory activity over the coming year in respect to compliance with Articles 37-39 of the GDPR, concerning the appointment, role and tasks of the DPO. The DPC announced in its Annual Report for 2020 that it will be expanding its regulatory activities in relation to private sector compliance in this area. Last year, the DPC commenced a project to assess compliance by public bodies with their Article 37 of the GDPR obligations. From a total of 250 public bodies, the DPC identified 77 public bodies as potentially not compliant with the requirements in Article 37 of the GDPR.