The appointment of a data protection officer (DPO) is, as a rule, the right of the controller and the processor – it’s up to them to designate the DPO. The provisions of the GDPR obligate to appoint DPOs only in strictly defined situations, e.g. when personal data are processed by a public authority or body, but the catalogue of these situations is not very extensive. For the rest, the controller and the processor do not have such an obligation and it is up to them whether or not decide to appoint an DPO in the organisation. However, making such a decision has its consequences, which we have already written about many times.
This circumstance (i.e. the optional appointment of the DPO) has led us to wonder how the statistics on this issue are shaping up in practice. As the GDPR.pl portal, we have decided to go one step further and have asked a number of questions to the data protection supervisory authorities in the European Union concerning the issue of appointing DPOs in each Member States. The President of the Personal Data Protection Office (Polish SA) has also sent us a position on this topic.
Please be noted that the material we have developed is based solely on the answers received from the respective authorities. It does not, therefore, constitute an attempt of a comprehensive evaluation of the functioning of the DPO issue in Poland and other EU countries.
Number of DPOs communicated to SAs
The analysis of the answers received shows a huge disparity in the number of DPOs communicated to the supervisory authorities in each EU Member State. The UK and Spain are undoubtedly the leaders of the list, with more than 70,000 and almost 60,000 data protection officers reported respectively. The next on the list is the Slovakian supervisory authority (sic!), which has received almost 15,000 notifications, thereby distancing further countries on the list.
The remaining countries with the highest number of DPOs communicated (due to the number of notifications): Germany with 12,000 DPOs, the Netherlands with 10,500 DPOs, Sweden with almost 8,500 DPOs, and Croatia and Belgium with around 5,500 DPOs.
Surprisingly, we were also answered by the supervisory authorities of two German Länder – Schleswig-Holstein and the Saarland. These authorities have received relatively high scores in terms of DPOs notifications – around 6,500 and less than 4,000 respectively. These large figures may come as a surprise, given that in Estonia and Slovenia, around 2,500 DPOs were communicated, while in Norway, Finland and Ireland – only around 1,800 DPOs.
The list is closed by the Latvian and Icelandic supervisory authorities – 780 and 377 notifications respectively. The position of these countries on our list is not particularly surprising, given their geographical size and, therefore, certainly fewer number of entities which process personal data. Unfortunately, we do not have the data from our national backyard, as the Personal Data Protection Office (Polish SA) – at our request – was not able to verify the number of notifications, which is a pity, because this is a very interesting matter. Especially when we take into account that there were over 20,000 of data security administrators (the predecessor of the DPO) and the demand for the DPOs was estimated, by the legislators before introducing the new act on personal data protection, for over 60,000. So what is and what should be the real number of DPOs in Poland? We will try to answer this question later.
Below we present a summary of this issue:
Who appoints the DPOs – private business or public administration?
Another question that we asked the supervisory authorities about is the proportion between DPO notifications in public administration and in the private business. And in this comparison, the biggest surprise was again the UK and Spain. In these countries, there is a significant imbalance in this respect. In the United Kingdom, the ratio between DPOs communicated to SAs in public administration and business is 16:84, and in Spain 12:88. This indicates high awareness among private sector controllers and processors in these countries. It is also worth noting that the UK’s supervisory authority (the Information Commissioner’s Office – the ICO) is very active in the European arena.
Two other countries – Ireland and Estonia – are also dominated by DPOs from the private sector, although the disparities are smaller, they are still significant (24% and 21% respectively in the total number of DPOs appointed). The dominance of DPOs appointed in public administration is only in Iceland (63% of the overall of DPOs appointed), and the balance between DPOs in public administration and business can only be observed in Slovenia (56% for DPOs in public administration). Iceland is in general an interesting country, a bit distant and 'exotic’ for us, but as we can see, it is dynamic and very responsible in the context of DPOs.
The crucial question is – where do these disparities come from? They may be due to the different definition of the concept of 'public authorities and bodies’ in different EU Member States. This problem has also been highlighted by the Article 29 Working Party in its guidelines on data protection officers, pointing out that these concepts should be defined in national legislation in view of the lack of regulation of this issue in the provisions of the GDPR.
Below is a summary of this issue:
Number of DPOs in the context of population in each EU Member States
While working on the answers we received, we decided to look also at them from a different perspective. We have calculated how many residents (data subjects) have a statistical DPO in their care. Such information may (but does not have to) suggest how effectively the rights of individuals under the provisions of the GDPR are being implemented.
Our calculations show that, on average, there are about 1,693 people taken care of by one DPO. The best situation is definitely in case of residents of the two abovementioned German federal states (Saarland and Schleswig-Holstein), Slovakia and Estonia. There are between 350 and 378 data subjects per one DPO – in our opinion this is quite an impressive result. On the other end of the schedule, there are countries such as Federal Republic of Germany (the country as a whole, where federal supervisory authority, which we wrote in the previous article, is responsible only for selected areas of data protection-related activities), Finland and Norway, where there are about 3,000 residents per one DPO.
Below is a summary of this issue:
What about Poland?
We also asked the President of the Personal Data Protection Office with the same questions. It appears that the Polish supervisory authority does not keep internal statistics on communication of data protection officers. It is worth noting that both the provisions of the GDPR and the Act on Personal Data Protection of 2018 do not impose an obligation to keep the register of the data protection officers and to publish the content of notifications (such an obligation existed under the repealed Act on Personal Data Protection of 1997 in relation to data security administrators (DSAs)). On the other hand, the communication is made in electronic form so the system should allow to count how many notifications have been made. However, let us look for a statistical calculation.
Providing we have about 38.4 million residents in Poland (official data from the Central Statistical Office at the end of 2019 state that the population of Poland is around 38,383k persons) and we take into account the EU average (our calculations show that there are 117 DPOs per 100,000 residents), then in order to achieve such average in Poland we should have about 45,000 data protection officers.
Whether this is many or few, it is difficult to say – unfortunately, we do not know the real number. However, given the abovementioned assumption, this would place us slightly below Spain (59,673 of DPOs) and above Slovakia (14,423 of DPOs) – it also seems like a real number. On the other hand, it shows that we would have an actual increase of 100% in the number of DPOS in relation to DSAs. Is this the scale of the new challenges for the GDPR? Perhaps.