In communication with internet traders we have recorded a number of queries related to the issue of the so-called data protection officer pursuant to Article 37 of Regulation (EU) 2016/679 of the European Parliament and of the Council, designated as GDPR (hereinafter “the Regulation”). Specifically, whether the Regulation establishes an obligation for operators of internet shops to appoint such an officer or not. This legal circular is therefore devoted to this issue.
The provision of Article 37(1) of the Regulation sets out three cases where a controller or processor of personal data is obliged to appoint an officer, whereas two of these cases will not apply to ordinary internet shops. These concern the processing of personal data by public authorities and the processing of special categories of personal data (so-called sensitive personal data according to current terminology). In the field of internet shops, therefore, only the situation pursuant to the provision of Article 37(1)(b) of the Regulation comes into consideration. This provides that “the controller and the processor shall designate a data protection officer in any case where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale…” It is therefore clear that any obligation to appoint an officer would be derived primarily from the nature of the activities of the particular trader (monitoring the behaviour of internet users).
For the interpretation of the provision of Article 37(1)(b) of the Regulation, it is necessary to state at the outset that the Regulation itself deals with the issue of processing personal data and not that data on the basis of which a particular natural person cannot be identified or that data which do not relate to a particular already identified natural person. This means that if the activities of an internet trader do not involve monitoring an identified natural person (the trader only knows general characteristics of the user), the regulation provided by the Regulation does not apply to this conduct of the trader at all. However, if a trader carries out monitoring of specifically identified natural persons (for example, there is a merging of general information provided by a media server with information in a customer’s user account), it will be necessary to address the interpretation of Article 37(1)(b) of the Regulation in greater detail.
Also in view of the fact that the content of the Regulation does not contain further guidance for answering the question whether it is necessary to appoint an officer, Working Party 29 has issued an opinion on this issue, from which the following information can be selected. The first question addressed is the interpretation of the term “core activities”. In our case specifically, whether the activity of a trader consisting in monitoring the behaviour of users can be considered a core activity of the trader, which is the sale of goods, or as an activity which is inseparable from the core activity of the trader. The answer to this question will not be simple. The Working Party states that “core activities should not, however, be interpreted in a way that excludes activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, a hospital’s core activity is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data such as patients’ medical records.”
A further question will be whether the monitoring of users carried out by a trader can be considered large-scale monitoring. Working Party 29 recommends taking into account the following factors when determining the large scale of monitoring: the number of data subjects concerned, the volume of data and/or the range of different data items, the duration or permanence of the processing, and the geographical extent of the processing. Working Party 29 cites among examples of large-scale processing also “the processing of personal data by a search engine for the purposes of behavioural advertising”. However, in this connection it is necessary to note that the monitoring carried out by a trader differs in its scope from the monitoring carried out by operators of search engines, media servers or social networks. Probably with the exception of the largest corporations, traders most frequently carry out monitoring of users only on their own websites, whilst obtaining further information from third parties. The last part of the hypothesis of the provision of Article 37(1)(b) of the Regulation which needs to be interpreted in relation to the monitoring of data subjects is formed by the phrase “regular and systematic”. Here we will probably reach the conclusion that if a trader in his business activity engages in monitoring users of his websites, he will do so regularly and systematically.
From the above it therefore follows that to the question whether an internet trader is obliged to appoint from 28 May 2018 a data protection officer, there unfortunately does not exist at this moment a clear general answer. In many cases this obligation will not apply to the trader, specifically in cases where he does not carry out monitoring of users at all or where identified users are not monitored by the trader. However, if identified users (natural persons) are monitored by the trader, in our opinion disputable situations may arise at the very least. For proper clarification of this issue it will be necessary to wait for further interpretative opinions of the relevant authorities.
For completeness, we add in conclusion that the Regulation naturally allows every controller or processor the voluntary appointment of a data protection officer.
Josef Aujezdský, advocate
Law firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory service
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 7/2017 intended for members of this association.
This text was translated from Czech to English using an AI translator.