Six Things You Need to Know About the DPO under the PDA
The Police Data Act (PDA). A privacy law, much like the GDPR, but with some distinct differences. The PDA also introduces the role of a Data Protection Officer (DPO), which, however, differs in certain aspects from the DPO role under the GDPR. In my work, I frequently encounter misunderstandings about this so-called PDA-DPO. Below, I discuss 6 key points you should know about the PDA-DPO.
1. If you're a DPO for the GDPR, you're also responsible for compliance with the PDA
Imagine your organization processes personal data falling under the PDA. This might be because your organization employs enforcement officers who perform law enforcement tasks (such as municipal enforcement, parking attendants, truancy officers, forest rangers, and environmental officers). In such cases, you're obliged under the PDA to appoint a DPO. If you've already appointed a DPO for personal data processing under the GDPR, you don't need a separate DPO specifically for the PDA, as the GDPR-DPO is also responsible for personal data processing under the PDA.
Note: The appointed DPO must be knowledgeable about both legislations, the GDPR and the PDA. If not, you might choose to appoint an additional PDA-DPO (ensure that the original DPO notification is supplemented, retaining a single DPO number for both roles).
2. The PDA-DPO must annually compile a findings report on PDA compliance and share it with the data controller
The PDA stipulates this requirement more stringently than the GDPR. According to Article 36(4) of the PDA, the PDA-DPO must annually submit a written report of their findings regarding PDA compliance. While a similar written report isn't mandatory under the GDPR, it's commonly observed in practice that the DPO delivers an annual report.
3. The PDA-DPO lacks job protection, unlike the GDPR-DPO
Under the GDPR, the DPO has job protection, meaning they "shall not be dismissed or penalized for performing their tasks" (Article 38 of the GDPR). The PDA-DPO doesn't enjoy this job protection, as the PDA doesn't address it.
However, this doesn't imply that the GDPR-DPO can't be dismissed altogether, as this is possible if other reasons exist beyond performing their tasks as a DPO. Examples might include theft, harassment, or similar serious misconduct.
4. The PDA-DPO also has an advisory role in DPIA’s and oversees their execution
Under the GDPR, organizations sometimes have an obligation to conduct Data Protection Impact Assessments (DPIAs). This process assesses the privacy risks of planned data processing and determines measures to mitigate those risks. The GDPR-DPO has an advisory function in this process (Article 39 of the GDPR).
The PDA often involves processing special (leaning towards criminal) personal data. In such cases, a DPIA is almost always required. Similarly, the PDA-DPO has an advisory role in this process, as stated in Article 36 of the PDA.
5. The PDA or GDPR-DPO doesn't perform internal PDA audits themselves
All organizations with enforcement officers must conduct a mandatory external PDA audit every four years. Additionally, these organizations must carry out a mandatory internal PDA audit annually. However, the GDPR or PDA-DPO cannot conduct this internal audit. The DPO oversees PDA compliance within their organization. They also supervise compliance with the audit obligation and the quality of the audits as part of their responsibilities. Conducting audits themselves would conflict with this role.
6. The PDA-DPO is responsible for overseeing specific matters
The NOREA guideline for the PDA (in norm 31) specifies the precise areas the PDA-DPO should oversee, as stipulated by the supervisory authority. This can serve as a helpful guideline for the PDA-DPO. According to the guideline, the DPO should oversee:
Compliance with the PDA;
The data controller's policies regarding personal data protection;
Authorization assignment;
Awareness and training of enforcement officers and other individuals involved in processing police data;
Audits;
The execution of DPIAs.
Finally, the guideline also mentions the DPO's obligation to annually report their findings regarding the PDA to the data controller (as stated in point 2).
If you'd like to know even more about DPOs and everything related to them, please don't hesitate to contact me!