When it comes to appointing a Data Protection Officer (DPO), the art. 37 sec. 1 GDPR determines the cases in which entities are obligated to nominate a DPO. Even considering the open clause that art. 37 sec. 4 GDPR lays down, there are three cases where the processors and the controllers are obligated to designate a DPO.
In what concerns public entities, according to art. 37 sec. 1 lit. a GDPR, a DPO should be designated when the processing of personal data is carried out by a public authority or body, except for courts of law acting in their judicial capacity. Most of public entities deal with some types of personal data processing, e.g. public hospitals process medical data; social security services deal with a great amount of personal and financial data; etc. In all these cases, it is mandatory to nominate a DPO. Other than the courts (when acting in their judicial capacity), this rule does not apply to public entities that do not require the processing of personal data to develop its activities. If the processing of personal data is required, even for secondary or auxiliary activities of the public bodies, a DPO should be nominated. In short, the rule stated on art. 37 sec. 1 lit. a GDPR does not differentiate between the primary activities or secondary activities for the public entities.
In contrast, the art. 37 sec. 1 lit. b and c GDPR, which applies to private entities, requires a fundamental distinction between core activities and secondary or auxiliary activities of the controller. Therefore, private entities shall designate a DPO when their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or when their core activities consist of processing, on a large scale, of special categories of data pursuant to Art. 9 GDPR.
In this context, it is possible to see how the risk-based approach of the GDPR reveals itself. The obligation to nominate a DPO emerges from a qualitative criterion and not from a quantitative criterion. In other words, the European legislator has designated the characteristics of data processing as a criterion instead of the entity size, economic importance, or any other quantitative aspect.
In this perspective, one question arises: what should be considered the “core activities”? Many authors consider that the core activities of each entity are related to the principal (or primary) activities. Therefore, if the principal activities are not related to data processing, data processing should be considered auxiliary activities. For example, an online store that only uses the clients’ personal data to process and execute the orders. The processing of clients’ personal data is an auxiliary activity that supports the core activity, which consists of product sale.
On the other hand, when the processing of personal data is related to the main service of the companies, it is clear that the nomination of a DPO is mandatory. For example, recruitment companies or temporary employment companies. Indeed, the “core activity” of those companies consists in processing personal data in order to provide its services to other companies.
Focusing on the first example provided, let’s suppose now that this online store is trying to reach out to new European customers. For this purpose, they are using a cookies policy that, once accepted by the website visitors, it allows the processing of personal data, such as the IP, which can be used to determine the geolocation of the visitors. In such a case, the processing of personal data can no longer qualify an auxiliary activity, since it became part of a business strategy to increment online sales. In this case, it is mandatory to nominate a DPO.
In order to understand the distinction between core activities and secondary/auxiliary activities, we should consider whether the processing of personal data is a reactive activity, or whether it is a proactive activity. In the first group, we should consider all activities that are triggered by the core activity. This is the case of the first example, where the processing of personal data is set in motion to execute the client’s or the buyer’s orders. In the second group, we should consider all the activities that are undertaken by a company to stimulate the core activity, either by increasing it or by directing it with target clients. In such cases, which are represented in the second example, the nomination of a DPO is mandatory under art. 37, sec. 1, lit. b and c GDPR. This idea seems to be aligned with the understanding of The Article 29 Data Protection Working Party (‘WP29’), for whom the “Core activities can be considered as the key operations necessary to achieve the controller’s or processor’s goals.”
The proposed reasoning aims to act as a guideline to determine the nature of the controller or processor’s activity and should not be taken as an absolute rule. It is always necessary to consider the particularities of each activity. Sometimes the processing of personal data seems to qualify as an auxiliary activity. That is the case of hospitals, whose core activity is to provide health care. However, the processing of personal data in such a case forms an inextricable part of the controller or processor’s activity, which could not be considered an auxiliary activity. In these cases, it is mandatory to nominate a DPO.
Overall, if the activities of the controller or the processor cause any doubts about their nature or qualification under the GDPR, it is advisable to nominate a DPO in order to avoid any retribution under the GDPR.