That seems insane, and I'm definitely not a lawyer, so maybe there's an out, but I think maybe he's right. Article 37 is pretty clear that if your core business involves processing data that's subject to the GDPR, you need to appoint a DPO, and it can't just be you, because they also require that the DPO can't have a conflict of interest. Man, that's unfortunate.
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
In Germany the law has been that you only need a DPO if a) you are a public authority, b) at least 10 people in your organization/company handle or have access to personal data or c) you handle sensitive data (e.g. health records).
As far as I know the GDPR doesn't change these requirements here. So even if you're a company of 5 people and just handling some email addresses or similar data you certainly don't need a DPO.
First of all, you're saying "core business". Is this even a business?
And I copy-pasted direct text from the regulation. Note how it says "large scale". Twice. If he is actually processing personal data on a large scale, then maybe it is not unreasonable to have a DPO.
At a certain point, even if you are a single person, if you are processing and tracking enough data then you still shouldn't be allowed to do what you want. Company's could just outsource all liability to single person consultancies then like they outsource a lot of none core jobs to consultancies to get around employment law now
It really comes down to the definition of "systematically monitoring". On our service we capture behavior (say in FullStory) and Google Analytics at a "large scale". How the DPO clause gets interpreted is going to be a key finding in the next few months. This is imho the most confusing and potentially difficult part of GDPR
Not that's irrelevant in this case. The question is whether you're processing sentive PII on a large scale. DPO is only necessary when processing sensitive PII. Sensitive is very clearly defined in the law as race, religion, medical records or biometric data. And IP addresses certainly do not qualify as sensitive PII (they are PII though) so I don't understand the entire discussion here. Seems to be just a political kneejerk
That's fair in this case, at my company we track "pregnancy status" and "due date". It's unclear at this point whether that's considered sensitive PII.
XMPP does have presence functionality so I'd consider that to be systematic monitoring. I don't know if his service is doing that, but it's one of the most useful aspects and definitely seems to fit the definition to me.
No. That article says you only need a DPO if you're a public authority or if you're processing certain data or you're processing very large amounts of data.
I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?
Monal is an XMPP chat system. User's messages are user data, and everything it does is processing that data, in the form of broadcasting it. I suppose as long as the data doesn't count as "very large", that'd be fine, but what does very large mean?
> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
For some reason, I can't reply to Max_aaa's question directly.
> How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".
You guarantee it by reading the rest of GDPR. It defines sensitive personal data separately than personal data. Sensitive personal data is defined by GDPR to be things that can be used to discriminate against the individual, such as race, ethnicity, religion, health information, credit information, age, etc.
EDIT: And what I mean to say is that if the messages aren't passing through the server or being stored on the servers, then the only info being handled by the server is the meta-data including IP address, which is not included in GDPR's definition of _sensitive_ personal data.
Example: Parts of our software run on customer servers and as such they are processing data in their control and not ours, hence can for example used to filter out personal data before they are then sent to our servers, without causing any GDPR related triggering of sending personal information to a third party (our company).
It's not “processing user data on a large scale” that requires a DPO, but “processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
AFAICT, it's not a public authority or body (37(1)(a)), it's not "regular and systematic monitoring of data subjects on a large scale" (37(1)(b)) (it seems to be merely crash reports and minimal information required for the service, not systematic monitoring), nor is it one of the special classes of data (37(1)(c)). I'm not sure how you could could conclude a DPO is necessary.
I suspect it's going to be a bit like IR35 in the UK. Menacing on first glance, but so broad in it's definition that any court is going to struggle to draw the hard conclusions for anything that isn't what the law was explicitly created to prevent.
Having to rely so much on the discretion of the courts is not a good thing. Generally, it is better if all people who agree on what happened agree about the legality of that.
When instead it is up for interpretation, that comes with issues. The first is selective enforcement, there is also the chilling effect on both sides. Those who ought to be protected worry about the slack given to their potential predators. Meanwhile those who are 'potential predators' need to worry about the slightest move that is illegal under some interpretation.
The end result of this chilling effect is fewer willing customers, fever willing companies, and less mutual trust. Notably, this lack of trust persists even if you presume everyone still follows the law. At that point it seems to me a law has failed.
I don’t agree. All laws are up for interpretation. That’s why we have the judiciary. Law makers draft laws, courts decide where those laws fit into the wider body of law.
The kind of law making you’re implicitly advocating is tantamount to despotism. Drafting a law that outlaws islam might well be clear in it’s wording, but it needs to be tested against the law that allows freedom of religion, freedom from persecution, and a ton of other laws no doubt. The claritiy of language with which a ban on islam is articulated is all for nought if it’s contradicted by, and incompatible with other laws.
Although, GDPR has been explained very clearly. And we’ve been given a loooong time to digest, understand, implement, and question it. I don’t think any reasoable person can make a compelling case against GDPR. But unreasonable people can, and as we’re seeing, they will.
https://gdpr-info.eu/art-37-gdpr/