cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2012
Newcomer II

Advise on designating a Data Protection Officer (DPO) for a US company having EU customers

Hello All,

 

Would appreciate if those who are familiar with  DPO aspects could provide some guidance.

 

GDPR states the following regarding DPO requirement.:

 

"Virtually all public sector bodies will be required to designate a DPO under the GDPR
When it comes to the private sector, the GDPR introduces a limited mandatory DPO requirement. 
Controllers and processors will only be required to designate a DPO if their core activities consist of: 
i. processing operations which, by virtue of their nature, scope and/or purposes, require regular and 
systematic monitoring of data subjects on a large scale; or 
ii. processing on a large scale of special categories of data or data relating to criminal convictions and offences. "
 
A SaaS provider offering solutions to end users in the EU (through their orgs) will not be coming under the two core activities mentioned above. If the PII collected is minimal without any payment instrument data or health-related information, would appointing a DPO be useful to demonstrate further compliance to GDPR?
 
Additionally, if it would be better to have a DPO in a member state where the provider conducts most business (i.e., the state where the supervisory authority for GDPR will be), can a consultant in that state would do? If the DPO is a person in the US, not sure how that will fly with different member states.
 
Thanks in advance.
6 Replies
Steve_D
Newcomer I

The Article 29 working party group has guidance on appointing a DPO but it's mostly focused on the role:

 

http://ec.europa.eu/newsroom/document.cfm?doc_id=44100

 

It does express a preference for EU based DPOs but it's not mandatory.

 

It's very difficult to comment further without more clarity on the data you are storing - the "large scale and systematic" part of the storage will be the key issue. If you're storing for example name, address, email, phone number for 1000s of data subjects in the EU for your customers, you'd almost certainly be seen as needing a DPO.

2012
Newcomer II

Thank you for your response.

Steve-Wilme
Advocate II

See WP29 WP243 opinion and the related FAQs.

 

It is considered good practice by the WP29 to appoint a DPO on a voluntary basis even if the 3 conditions in article 37 are not met.  I'd suggest as SaaS supply may be processing personal data of many client therefore needs to carefully consider documenting any decision not to appoint a DPO.  If the EEA country is Germany you will have to appoint a DPO as national legislation requires it.

 

A consultant on a service contract in the relevant country would be acceptable under GDPR.  It will be more difficult to argue that a DPO in the US has the relevant experience of EU jurisdictions, is fluent in the relevant languages and is easily contactable given time zone differences etc.

 

Steve

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
oms
Newcomer I

Dear Newcomer,

 

since I am not a lawyer, I can't tell you if it is legally rquired for that business. But from my practical experiance (in Germany) apointing a DPO is seen very positive by customers and their DPOs here. It is common practice that these DPO's are very often external Consultants in many cases from organistions with good reputation such as the TÜV. They have a good knowöedge of what companies and governments expect in their country (and there are some differences as I had to learn in the past). Their charges are reasonable, mostly based on effort.

Especially in a phase where customers come up with all sort of questions and contract templates they obtained from the web, some advise can only be an advantage. When this type of issues decreases, you can always reduce the consultany.

 

I hope that helps, if practical information from Germany is needed, drop a line.

 

Kind regards,

oms

 

oms
Newcomer I

Dear 2012,

 

I am sorry, that was my first post here. I just realized that "Newcomer" is just the "level".

 

Kind regards,

oms

Steve-Wilme
Advocate II

No problem, the tags newcomer, contributor etc are a bit strange.  Thanks for the feedback though.  I was aware that in a German context the role of the DPO was long accepted.

 

Steve

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS