DPO and Retail: is the match possible?
More than six years have passed since the General Data Protection Regulation (GDPR) came into force. However, some aspects of this legal act, such as the obligation to appoint a Data Protection Officer (DPO), still need to be clarified for many people and businesses, including those in retail.
In this article, we will answer the question: “Does my retail business need a DPO?” by examining GDPR provisions and relevant cases.
Who is a DPO?
The GDPR doesn’t provide a specific definition of a DPO, but based on its provisions, we can say that a DPO is an expert on data protection law and practices. The main role of the DPO is to ensure the internal application of the GDPR and to protect the rights and freedoms of data subjects from being adversely affected by processing operations. Such a specialist can be an internal team member or an external DPO performing tasks based on a service contract.
When must a DPO be appointed?
Article 37(1) of the GDPR specifies cases where the appointment of a DPO is mandatory, namely:
- the processing is carried out by a public authority or body;
- the core activities consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- the core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Various factors must be considered to determine whether a company meets any of these criteria (see WP29 Guidelines for more details). However, a company may also choose to appoint a DPO voluntarily.
Obligations of the DPO
The obligations of the DPO include the tasks listed in Article 39 of the GDPR, such as:
- informing and advising the organization and its employees regarding their obligations under the GDPR and the data protection laws of EU member states;
- monitoring compliance with the GDPR and data protection laws of member states, as well as the organization’s data protection policies, including assigning responsibilities, raising awareness, training staff involved in processing operations, and conducting related audits;
- providing advice where requested regarding data protection impact assessments and monitoring how they are carried out;
- cooperating with data protection authorities;
- acting as the contact point for data protection authorities on issues related to the processing of personal data, and consulting, where appropriate, on any other matters.
This list of tasks is not exhaustive. The DPO may also be responsible for other duties, such as conducting Legitimate Interest Assessments, Transfer Impact Assessments, Records of Processing Activities, and handling Data Subject Requests.
Why do retail services need the DPO?
In general, if one of the conditions mentioned at the beginning of this article applies to your business, you are required to appoint a DPO. But even if your retail business isn’t obligated to have one, it is recommended to appoint such.
Below are described some typical aspects of modern retail business where professional advice of DPO will be helpful.
Consent management
When selling your goods, did you ask the buyer to provide their email to receive a receipt of the purchase? Did you later decide to send promotional codes or advertisements to this buyer? Maybe you sell goods to a child? These are common situations in the retail business, and all of them require proper consent from the data subject.
The GDPR imposes strict requirements for consent, including that it must be freely given, specific, informed, and unambiguous. Moreover, your clients must also have the option to withdraw their consent at any time without facing any negative consequences. This aspect becomes even more complicated when dealing with children or processing sensitive personal data.
GDPR-compliant consent management requires significant attention, knowledge and effort, therefore, it’s advisable to delegate this task to a DPO.
Personalized shopping experiences and tracking customer movement and preferences
It’s hard to imagine modern-day retail without personalized shopping experiences, which have become a cornerstone of customer engagement. To make this possible, retailers use various methods to gather personal data on customer behaviour, including loyalty programs, in-store sensors, and mobile apps.
For instance, when clients visit your website, it immediately starts recording their behaviour and actions. This common retailer’s practice is possible with the usage of so-called “cookies”, but it must be done according not only to the provisions of GDPR but also to the ePrivacy Directive.
It has become even more challenging as retailers use sophisticated technologies such as artificial intelligence to tailor their offerings to individual customer preferences and behaviours.
While these practices significantly enhance the shopping experience, they also raise important privacy concerns. That is why they need a DPO to ensure that such activities comply with GDPR requirements.
Security and data breach notification
According to a Forbes article, data breaches increased by 72% between 2021 and 2023, surpassing the previous record and affecting over 343 million victims only in 2023. It is not an exaggeration to say that it’s only a matter of time before your retail business may experience a cyberattack. This could result in significant customer loss and the imposition of substantial fines by the local data protection authority.
Moreover, the GDPR requires retail businesses to promptly report details of any data breach to the data protection authority and, in some cases, to notify affected clients.
Could such situations have been predicted and properly handled? Yes, by appointing a DPO. A DPO is not only a privacy lawyer but also possesses technical and management knowledge. While dealing with other privacy matters, he/she can also help you build a proper security system within your company.
Data processing agreements
Retailers usually have business relationships with many contractors, some of whom process personal data (e.g., delivery or logistics providers). The GDPR requires you to work only with those who “provide sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. This means that you must ensure GDPR compliance not only for yourself, but also for your service providers. This requires comprehensive checks or even audits of potential contractors, which can be quite challenging.
The GDPR also emphasizes the necessity of having written agreements with such contractors. These agreements must include specific content, be subject to periodic reviews, and be adapted to your specific needs. A DPO can be very helpful in managing these tasks.
International data flows
With the trend toward globalization, many retailers have cross-border business relationships, some of which involve transferring personal data from the EU to other countries.
The GDPR imposes various obligations regarding these data flows, such as assessing whether a third country provides an adequate level of data protection and concluding special contracts, among other requirements. This process involves deep research of the legislation and practices of foreign countries. Without the assistance of a DPO, managing these requirements can be nearly impossible.
Consequences of the absence of a DPO
According to the GDPR, specifically, Article 83, failing to appoint a DPO when required can result in administrative fines of up to €10,000,000 or, for undertakings, up to 2% of the total worldwide annual turnover. Here are some examples of such failures and the fines imposed:
In 2019, the Spanish supervisory authority imposed a fine of €25,000 on Glovo for non-compliance with its duty to appoint a Data Protection Officer (DPO), as per Article 37 of the GDPR.
In 2020, the Spanish DPA imposed a fine of €50,000 on Conseguridad SL for not having a data protection officer in violation of Article 37(1)(b) of the GDPR.
In 2022, the Belgian DPA fined the Interactive Adverting Bureau Europe €250,000. Among other infringes, this organization didn’t appoint a DPO as required.
In 2022 the Italian DPA imposed a fine of €200 000 on Amiu Spa for, among other things, failing to designate a DPO.
Conclusion
In conclusion, appointing a DPO is essential for the retail sector. As retailers handle vast amounts of personal data, a DPO ensures compliance with data protection laws and enhances customer trust.
By proactively managing data privacy, retailers can mitigate risks, avoid regulatory penalties, and build a reputation for safeguarding customer information. In a data-driven world, having a DPO is not just a regulatory requirement, but a strategic advantage that supports sustainable business growth.
Read more about our special service — DPO as a service.
