Article 35*
Article 35 – Designation of the data protection officer
Commission Proposal
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or 2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer. 3. Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. 5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor. 6. The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person’s tasks and duties as data protection officer and do not result in a conflict of interests. 7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed,if the data protection officer no longer fulfils the conditions required for the performance of their duties. 8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract. 9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public. 10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation. 11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5. |
EDRi’s proposed amendment
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or 2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer. 3. Where the controller or the processor is a public authority or body, the data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. 5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor. 6. The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person’s tasks and duties as data protection officer and do not result in a conflict of interests. 7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed,if the data protection officer no longer fulfils the conditions required for the performance of their duties. 8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract. 9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public. 10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation. 11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5. |
Justification
The exemption proposed by the Commission is unduly wide. One reason is that, especially in the online context, also small businesses might process data on big numbers of data subjects. Therefore, using the number of employees as a threshold to trigger the exception is not adapted. We propose to use the number of data subjects as the criterion.