Does a hospital have to appoint a data protection officer under the GDPR?

Source Documents

Guidelines on DPOs

Guidelines Dec 13, 2016 🇪🇺 Art29

Practical Guide GDPR Data Protection Officers

Guidelines Mar 14, 2022 🇫🇷 CNIL

Protection of Personal Data

Other Nov 1, 2021 🇪🇺 CJEU

Found quotes

Guidelines on DPOs

The designation of a DPO is an obligation: if the processing is carried out by a public authority or body (irrespective of what data is being processed)

Hospitals typically qualify as public authorities or bodies, which makes the designation of a DPO mandatory under GDPR.

if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Hospitals perform regular and systematic monitoring of patients' health data on a large scale, making the appointment of a DPO mandatory.

For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

This quote explicitly states that processing patient health data is a core activity of hospitals, thus requiring them to designate a DPO.

Practical Guide GDPR Data Protection Officers

Examples of regular and systematic monitoring of data subjects:

marketing activities whose personalization is based on personal data;

profiling and scoring for risk assessment purposes (credit risk assessment, establishing insurance premiums, preventing fraud, or detecting money laundering, etc.);

geolocation by mobile applications;

loyalty programs;

behavioural advertising;

monitoring of wellness, health, and fitness data using portable devices;

closed circuit television systems;

connected devices such as cars and smart meters, home automation, etc.

The quote lists examples of activities that require monitoring and the appointment of a DPO, including the monitoring of health data which is relevant to hospitals.

Factsheet 2: Who can be designated DPO?

Although there is no typical profile to serve as DPO, the GDPR requires the DPO to have a certain level of expertise. The organisation must also ensure that there is no conflict of interest with the appointee’s other missions.

The DPO’s knowledge and skills

The person approached for the function of DPO must have a certain level of knowledge, i.e.:

Legal and technical expertise on data protection;

knowledge of the business line, industry regulations and the organisation of the structure for which they are designated;

an understanding of processing operations, IT systems and the organisation’s data protection and security needs;

for a public authority or a public body, good knowledge of the applicable administrative rules and procedures.

The quote establishes the need for expertise in data protection for a DPO, with emphasis on the understanding of processing operations and regulations, which a hospital DPO would require.

Note: the level of expertise required varies according to the sensitivity, complexity, and volume of data processed by the organisation. This knowledge and skills can be acquired through a training plan adapted to the profile of the future DPO (see the question “How can a DPO be trained?”).

The quote notes that the level of expertise required for a DPO depends on the sensitivity and complexity of the data processed, which is particularly applicable to hospitals handling sensitive health data.

Protection of Personal Data

The Court found that these supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task of establishing a fair balance between the protection of the right to private life and the free movement of personal data.

This quote addresses the independence required for supervisory authorities which is relevant as it establishes the autonomy hospital DPOs must maintain in their role of overseeing data protection compliance.

The Court declared that Austria had failed to fulfil its obligations, finding, in essence, that a Member State which lays down a regulatory framework under which that authority's managing member is a federal official subject to supervision, whose office is integrated with national government departments, and in respect of which the head of the national government has an unconditional right to information covering all aspects of that authority’s work does not meet the requirement of independence of a supervisory authority, laid down by Directive 95/46 (paragraph 66 and operative part).

This quote emphasizes the necessity for supervisory authorities, such as a hospital's data protection officer, to be free from any supervising influence to maintain independence.

The Court held that a Member State fails to fulfil its obligations under Directive 95/46 if it prematurely brings to an end the term served by the supervisory authority for the protection of personal data (paragraph 62 and operative part 1). According to the Court, the supervisory authorities responsible for supervising the processing of those data must enjoy an independence allowing them to perform their duties free from external influence in whatever form, whether direct or indirect, which may have an effect on their decisions and which could call into question the performance by those authorities of their task of striking a fair balance between the protection of the right to private life and the free movement of personal data (paragraph 51).

This quote further reiterates the need for supervisory authorities to operate independently and free from any external influence, including hospitals appointing data protection officers.