28 Mar Is Your Organisation A Public Authority Under the GDPR?
One of the key elements to consider when assessing whether your organisation needs to appoint a Data Protection Officer (DPO), is to determine whether it will be regarded as a public authority under the General Data Protection Regulation’s (GDPR) Regime.
It is of key importance that organisations carry out this assessment as soon as possible since public authorities are subject to different requirements than most other private companies, i.e. in regard of the mandatory appointment of a DPO.
The GDPR does not provide with an autonomous definition of public authority. For organisations, it is national law – and not EU law – that will determine if they must be considered public authorities for the purposes of the GDPR. This is one of the reasons why Member States are currently drafting new data protection laws that aim to complete the GDPR Regime.
In the United Kingdom, the legal reference to use is the Data Protection Bill.
In its current version, the Bill provides that public authorities and public bodies are those defined by the Freedom of Information Act 2000 (FOIA), the Freedom of Information Act (Scotland) 2002 and any authority or body specified by the Secretary of State in regulations. However, such an authority or body will only be considered ‘public’ when performing a task carried out in the public interest or in the exercise of official authority vested in it.
The Bill is yet to be approved by Parliament, and thus it is a draft that is subject to change.
What does this mean in practice?
In practice, all organisations that fall under the FOIA definition will have to appoint a DPO as soon as possible. Under that law, all organisations that fall into the following broad categories are public authorities:
All of the government’s executive agencies and committees fall within this definition. Moreover, city councils and the service companies they own will fall under the umbrella of local government, while under the NHS umbrella will fall all private medical practices that offer NHS services, as well as pharmacies and other practitioners (limited to the provision of NHS services).
Most interesting is the definition of publicly owned company. It is clear that companies that are fully owned by the Crown or by the wider public sector are to be considered public authorities. One example is Cambridge Enterprise Limited, which is fully owned by the University of Cambridge. Another good example is Transport Trading Limited, which is fully owned by Transport for London.
Interestingly a few companies owned by public authorities are not entitled to the same status. For instance, the BBC is a public authority only in respect of information held for purposes other than those of journalism, art or literature. This means that its subsidiaries companies will not be considered public authorities, due to the fact that the BBC itself is not a public authority in full.
Assessing the public-authority status is a delicate matter. While the relevant legislation clearly points in the direction of a broad interpretation of the concept, care and precision are recommended in order not to be misled.
Are you unsure whether your organisation is a public authority under UK or a different Member State’s law?
Feel free to contact our team for more questions:
FILIPPO MARCHETTI, Data Protection Specialist at Trilateral Research