Data Protection Officer (DPO) in EU-funded projects

The General Data Protection Regulation has brought in many advances and additions, among which is the role of the Data Protection Officer (DPO). The DPO intervenes in the functioning of an organization in order to orchestrate the general compliance with data protection laws and regulations, such as the GDPR and other pertinent European and national texts.

This role reinforces the responsibility of organizations to put in place lawful processing as the DPO would coordinate the implementation of legal and ethical guarantees for data subjects.

The GDPR does not rigorously define a specific profile for the DPO. It, however, enshrines a set of criteria that need to be respected, such as having adequate resources, being informed and independent, and being able to report to the highest levels of management in the organization.

A DPO can be appointed by all entities. However, appointing and declaring a DPO to the competent data protection authority becomes an obligation if the organization is a public entity or if its core activities involve the processing of sensitive data on a large scale or involve large-scale, regular, and systematic monitoring of individuals.

Can EU-funded project have a DPO?

The question of appointing a DPO can arise in relation to the innovation schemes of the European Commission. The projects funded under Horizon 2020 and Horizon Europe can in fact entail an important amount of personal data processing for the project to attain its goals.

Nonetheless, this processing of personal data does not mean that the project, per se, is a controller or a processor of said data. In fact, a quick look at the legal anatomy of these projects confirms that they do not possess a separate legal entity as they are launched by a consortium that is bound by a Grant Agreement. Consortia are thus not legal entities that have the obligation of appointing a DPO.

The project acts as a joint platform for participating organizations and does not suppress the obligation of each partner in regard to the processing of personal data they possess and process in the framework of the project.

Legal and Ethics Manager in EU-funded projects

Even if no DPO can be appointed by the project itself, the responsibilities of legal and ethical compliance are highly considered in EU-funded innovation projects. Subject to the EC’s Ethics Appraisal Process, which may result in Conditional Clearance and Ethics Requirements the consortium must fulfil, a project needs to be able to provide state-of-the-art levels of legal and ethical compliance throughout the entirety of its life cycle.

The grant agreement generally puts in place many ethical and legal guarantees. At the same time, the project proposal (later description of action) can envisage the identification of a legal and/or ethics manager that would be chosen among the staff of one of the partners.

This Legal and Ethics Manager would have the responsibility of advising the consortium members on matters of compliance with the law and ethical standards. However, the manager does not intake the responsibilities of a DPO as they act as an advisor and a contact point for all pertinent matters without bearing the responsibilities of other partners in data processing. The role of the Legal and Ethics Manager can include the coordination of activities between project partners’ internal DPOs.

Privanova engages in multiple projects by taking up the role of the legal and ethics manager, thus providing an additional guarantee to the lawful processing of personal data. This is the case with MARVEL, CYRENE, DIGICARE4YOU, AI4HEALTHSEC and other projects we’re involved in.

Data protection being at the heart of our expertise, we play the role of clarifying the contact schemes in regards to data protection, among other legal and ethical issues. We can also facilitate the implementation of a project-wide Data Protection Impact Assessment or help a project partner’s internal DPO to perform it on one or more project aspects under their responsibility.

DPO in the context of Horizon Europe Ethics Appraisal Procedure

EU-funded innovation projects go through evaluation procedures that entail reviewing and auditing all aspects of ethics and legal compliance. As the projects “shall comply with ethical principles and relevant national, Union, and international legislation”, a set of guarantees need to be activated.

When a project involving the processing of personal data goes through an ethics appraisal procedure, the results ordinarily highlight, among other things, the need of appointing a DPO by all participating parties. This indicates the continuous accountability that all partners need to showcase when it comes to their processing of data.

The need of appointing DPOs by different participating partners makes clear the need for overall expertise in processing personal data in a lawful manner. These requirements are annexed to the grant agreement that guides the partners in their data processing activities throughout the entirety of the project.

As the responsibilities of each should be identified in a clear manner that leaves no room for doubt, documents such as the data management plan are paramount as they provide an overview of all the responsibilities that arise throughout the project.