According to the GDPR, it is either the data controller or the data processor that can be held liable if the regulation is not followed. This is in most cases a legal person. In this blog post we will examine if only these actors can be held liable or if, in certain cases, a Data Protection Officer can personally be held liable based on the GDPR.
What is a Data Protection Officer?
Before we will look into liability, it is good to clarify what a Data Protection Officer is and what they do. For some organisations, it is obligatory to appoint a Data Protection Officer. It is obligatory if:
- The processing is carried out by a public authority or a public body,
- The core of the business constitutes of processing that demands a large scale of regular and systematic surveillance of the data subjects, or
- The core of the business constitutes of processing in a large scale of special categories of personal data.
Also, when not mandatory, the European Data Protection Board (former article 29 working party) recommend that the organisation appoints a Data Protection Officer, especially when it concerns a private organisation exercising public service or public authority.
The Data Protection Officer shall be appointed based on their professional qualifications and expertise of case-law and legislation in the field of data protection. The Data Protection Officer can therefore not be just anyone but need to have certain characteristics and competences. Further there are requirements that the Data Protection Officer’s contact information is published and informed to the Supervisory Authority, which is “Integritetsskyddsmyndigheten” in Sweden.
It is important that the Data Protection Officer conduct his or her tasks independently. Meaning that the Data Protection Officer is prohibited to receive instructions in regard to how the operation shall be executed. The Data Protection Officer is also not to be subjected to sanctions because they are doing their job.
What a Data Protection Officer can and cannot do
The Data Protection Officers tasks is amongst other things to:
- Supervise the compliance with GDPR,
- Help with impact assessments,
- Act as a contact person for data subjects, the Supervisory Authority and internally within the organisation as well as cooperate with the Supervisory Authority, and
- Be involved with all questions concerning the protection of personal data.
It is of importance that the Data Protection Officers are given enough independence to be able to perform their tasks.
The Data Protection Officer is not allowed to perform a task that could potentially lead to a conflict of interest with their role as a Data Protection Officer. This entails among other things that the Data Protection Officer cannot have a role to determine the purpose and means for different data processing’s. Read more about Data Protection Officers here (in Swedish).
Liability based on the GDPR
It is the data controller or the data processor that shall make certain compliance with the GDPR. It is also the data controller or the data processor that must be able to prove that they process personal data in accordance with the regulation. There are two types of costs that might be imposed on data controllers or data processors based on GDPR: administrative fines and liability for damages. The data controller or the data processor keeps the responsibility for legal compliance with GDPR also when an organisation has appointed a Data Protection Officer.
Liability for Data Protection Officers
The Data Protection Officer is not to be held liable personally, if GDPR is not complied with, even though it is the task of the Data Protection Officer to supervise compliance with the regulation. It is only the data controller or the data processor that can be responsible according to GDPR. With this said, the Data Protection officer can be responsible on other grounds.
At this very moment, there are cases pending before the courts regarding personal liability for Data Protection Officers both in the UK and Switzerland. In both cases, the cost has affected the companies, who are claiming compensation from the Data Protection Officers. Switzerland is not a part of the EU or EEA, but their legislation regarding personal data protection is very similar to legislation within the EU. These two cases can therefore have a large impact on the EU case-law.
Since personal liability is not a possibility for Data Protection Officers according to the GDPR, it is only at stake in certain cases. Since the GDPR does not have any exemption for Data Protection Officers, liability based on the Swedish Tort Liability Act´s (TLA) provisions in regard to employees can be a possible scenario. The provision that regulates liability for employees is in chapter 4 § 1 TLA. For this provision to be actualized some conditions have to be fulfilled:
- Damage have occurred for the employer.
- The damage has been caused because of the employees’ fault or negligence.
- It is necessary that there is a link of causation between the actions of the Data Protection Officer and the damage suffered.
- There are serious reasons.
The result of the above mentioned is that the Data Protection Officer must have acted intentionally or through gross negligence for personal liability. If a Data Protection Officer reports correct information to the board of the organisation, they should be able to avoid being held personally liable. However, we await with anticipation more guidance within this field of law.
Have you appointed a Data Protection Officer or are you a Data Protection Officer?
We are always happy to help you with the evaluation as to if you need or would benefit from having a Data Protection Officer! You do know that we offer Data Protection Officer as a service? Contact us via email@example.com.
Are you a Data Protection Officer? Book a demo of GDPR Hero today – the digital GDPR tool that makes your work easy! You can book a demo here.