This survey will first briefly describe the role of the Data Protection Officer (“DPO”), introduced by the European Union’s new General Data Protection Regulation (“GDPR”), which will enter into force on May 25, 2018.1 The discussion of DPOs will draw from the Guidelines on Data Protection Officers (“Guidelines”)2 issued by the Article 29 Working Party (“Art. 29 WP”).3 Second, the survey will address the new Privacy Shield framework that governs data transfer from the EU to the United States.
II. THE DATA PROTECTION OFFICER
The new regulatory framework that the GDPR establishes emphasizes the principles of compliance and accountability. Within that framework, the DPO undoubtedly will be central, conceived of as an intermediary between companies (controllers and those responsible for data processing) and national Data Protection Authorities. In essence, the office of the DPO has as its special responsibilities the implementation and supervision of internal processes to ensure compliance with the GDPR.
A. APPOINTMENT OF THE DPO
The DPO is an officer appointed by a data “controller” or “processor.”4 The DPO may be an employee of the appointing entity or an independent consultant. In some situations, appointment of a DPO is mandatory, while in others it is voluntary. A controller or processor must appoint a DPO if:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.5
The Art. 29 WP recommends that a controller or processor document its analysis to determine whether to appoint a DPO.6 The adoption of this practice is certainly appropriate given that the analysis not only is part of the documentary evidence to be produced in accordance with the accountability principle, but it may also be requested by the supervisory authority, for example if the controllers or processors undertake new activities or provide new services that might fall within the cases listed in Article 37(1).7
The GDPR does not define the term “public authority or body” as used in subsection (a) of the provision of Article 37 quoted above. The Guidelines indicate that the term should be defined …