True story - a company has been (and still are!) stuck with their external DPO for 12 years.
Is the DPO requirement reasonable? Or the frequent recommendations from data protection authorities (like the French CNIL) to 'always' appoint one even though you don't have to? 🤔 We think not.
The requirement (for certain businesses and organizations) to appoint a data protection officer was not new with the GDPR and actual requirements can also vary between member states.
For example, in Germany, in addition to Article 37(1)(b) and (c), you must appoint a DPO if you "generally employ at least 20 people at all times with the automated processing of personal data" (see BDSG § 38(1)). It used to be 10 people, but at least they increased this to 20 in November 2019.
Now, the European Court of Justice (CJEU) recently ruled that member states can make it even harder to dismiss a DPO - internal or external - in national legislation, like in the German case discuss on our episode.
Unfortunately, the minority view from the referring court didn't win in this case, stating that "the links between that protection and the position of data protection officer conflict with EU law and give rise to economic pressure to retain a data protection officer on a long-term basis once he or she has been designated."
Links and resources:
- Guidelines on Data Protection Officers (WP29, endorsed by the EDPB)
- All CJEU documents related to the ruling