No excuses! The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has started to act against organisations that still do not have a data protection officer (DPO), even though the obligation has been in force for two years.
First fine for a company for failing to appoint a DPO in Spain
Following two complaints to the AEPD, Glovo, a digital platform that connects customers with independent local couriers, who acquire goods from restaurants or shops and deliver urgent packages, was fined €25,000 by the Spanish authority this April. The decision by the AEPD can still be appealed.
Article 37 of the EU general data protection regulation (GDPR) requires companies to appoint a DPO when, among other conditions, data is being processed 'on a large scale'. With no definition of 'large scale' in the Spanish legislation, the company had decided not to appoint a DPO. But the AEPD saw things differently, with Glovo processing thousands of personal profiles every day and thus on a large scale.
The fact that Glovo had set up a data protection committee that had similar functions to a DPO and argued that the rights of its clients had always been fully protected were not enough to avoid the fine. It also wasn't enough that Glovo had appointed a DPO after the AEPD had begun proceedings against the company.
What does this mean for other businesses?
This case suggests that any GDPR 'honeymoon period' has ended and that the AEPD is ramping up its compliance and enforcement activities.
Apart from appointing a DPO, if required under GDPR, companies should also look at the officer’s skill set. While the law does not require any specific training for DPOs, in practice the position requires certain legal knowledge, data protection experience and a clear understanding of how the organisation operates.
The independence of the DPO should also be considered. As set out above, their main function is to oversee the organisation's privacy policies and procedures. But the fact that the DPO is also part of the organisation means that they may sometimes face conflicts of interest. Outsourcing the DPO function may be one way of avoiding this.
The coronavirus crisis has boosted online commerce, both for goods and services, which has increased the volume of personal data being processed. As such, this is a good time for companies to review their status from a GDPR perspective.
