GDPR vs PIPL: role of DPO
The Data Protection Officer (DPO) is the key to your compliance with data protection laws. The importance of this function is emphasised in many jurisdictions, which have different visions of the role and requirements for DPOs.
We will now have a look at some basic similarities and differences between the European Union’s General Data Protection Regulation (GDPR) and the Chinese Personal Information Protection Law (PIPL) approach to DPO.
| What are DPO’s role and functions? | |
| GDPR | PIPL |
| DPO’s role, whether when acting as a DPO for a data controller or data processor, shall include at least some of the following tasks: → to inform and advise of obligations under GDPR and applicable EU data protection laws; → to monitor data protection compliance via assignment of responsibilities, → awareness-raising and training of staff, and other tasks; → to advise on the data protection impact assessment; → to act as a contact point for data protection authority and advise the data processor or controller on cooperation with such authority; → to act as a contact point for individuals (data subjects). | PIPL contains two definitions for roles similar to GDPR’s DPO. The closest definition is “the person in charge of personal information protection,” who is personally responsible for supervising activities regarding personal data and adopting necessary protection measures. DPO’s role includes the following tasks: → being responsible in case of data protection enforcement actions against the organisation, as well as for any relevant governmental registrations; → preparation of internal and external data protection documentation; → supporting cross-border data transfers, conducting data protection impact assessments; → ensuring implementation of proper security and organisational measures; → managing data subjects’ requests; → organising internal data protection training. |
| Who needs to appoint a DPO? | |
| GDPR | PIPL |
| Under GDPR, you should consider your core data processing activities and their scale when appointing a DPO. GDPR requires controllers and processors to designate a DPO if: → they are a public authority which carries out the data processing; → their core activities consist of processing, which requires regular and systematic monitoring of data subjects on a large scale (e.g. for behavioural advertisement); → their core activities consist of processing on a large scale of special categories of data, e.g. biometric, health data, or data revealing ethnic origin, sexual orientation, and political opinions; → their core activities consist of processing on a large scale of personal data relating to criminal convictions and offences. If you are not required to appoint a DPO, you may do so voluntarily to ensure better compliance with data protection law. | Under PIPL, the Chinese Cybersecurity Administration (CAC) determines the criteria for appointing a DPO. The CAC has yet to provide such information. However, such criteria may be found in the Chinese “Personal Information Security Specification” (GB/T 35273—2020), where the organisations are required to appoint a DPO if: → your organisation has more than 200 employees, and its main business activities involve processing personal data; → your organisation processes (or is estimated to process) over one million individuals’ data; → your organisation processes the sensitive data of over 100,000 individuals. |
| What are the requirements for DPO’s qualifications? | |
| GDPR | PIPL |
| GDPR does not pose many requirements regarding DPO qualifications: a DPO shall be designated based on professional qualities, expert knowledge of data protection law and practices, and the ability to fulfil the DPO’s tasks. Thus, the DPO may be your staff member or an external contractor, whether an individual or an organisation. Moreover, the DPO may be located outside the EU. GDPR also places requirements on DPO’s independence. You may not give instructions or penalise the DPO regarding the performance of their DPO tasks. | PIPL and other Chinese data protection laws do not provide specific qualifications for DPOs, including expertise, nationality, or other criteria. However, this role should rather be filled by your personnel (preferably a Chinese national located in China), whose contact details should be provided to Chinese supervisory authorities.With regard to DPO’s independence, PIPL does not pose any strict requirements, as in GDPR. |
| Is DPO liable for the organisation’s non-compliance with data protection laws? | |
| GDPR | PIPL |
| Under GDPR, DPO does not have personal responsibility for non-compliance with applicable data protection laws. Thus, note that even when you have appointed a DPO, you remain responsible for compliance with data protection law. | Unlike GDPR, China established personal liability for a company’s non-compliance with data protection obligations. For example, DPO may be fined or temporarily banned from performing DPO tasks. |
It should be noted that both the GDPR and the PIPL provide for sanctions for violations of the DPO provisions.
The EU’s GDPR imposes administrative fines of up to EUR 10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for violations of the articles relating to the appointment and performance of DPO’s functions.
Such fines have already been applied by data protection authorities (DPAs) of the EU Member States:
- In 2020, the Spanish DPA imposed a fine of EUR 50,000 on a private security company, Conseguridad SL, for conducting its surveillance activities on persons visiting or working for the company without appointing a DPO;
- In 2021, Luxembourg DPA fined an unnamed company EUR 18,700 for several violations regarding DPOs: the controller’s public website did not include direct contact details for the DPO, the DPO was not sufficiently involved in all data protection matters and did not have sufficient autonomy;
- In 2022, Berlin DPA fined an e-commerce retail group EUR 525,000 due to the conflict of interest of their DPO, who was simultaneously making data processing decisions as an executive of the company.
China also imposes harsh sanctions for violations of personal data laws, including PIPL. In addition to, for example, prohibiting violators from holding certain positions and some other sanctions, the PIPL also imposes fines on individuals directly involved in a PIPL violation of between RMB 10,000 and 100,000. In case of serious violations, the fine may be increased up to 50 million RMB or 5% of annual fiscal revenue. The PIPL does not clearly define serious violations, but it can be assumed that this may include violations of the DPO provisions.
In conclusion, we may notice that the vision of the DPO’s role and tasks has many similarities. However, the distinction lies in the requirements for DPO appointments, DPO’s independence, the approach to DPOs’ responsibility for the organisation’s non-compliance with data protection requirements, and the requirements for DPO qualifications. Moreover, the Chinese government has yet to clarify many aspects of the DPO’s role and activities. In addition, the system of enforcement and penalties varies significantly.
At Privacity, you can always contact us and schedule a meeting with our team to learn more about DPO function and designation or discuss your organisation’s unique needs regarding appointing a DPO.
