This exception applies to both branches of solicitor-client privilege: procedural privilege and privilege to provide legal advice. The English legal concept of solicitor-client privilege includes both the „Litigation” privilege and the „Legal Advice” privilege. Overall, the former applies to confidential communication between a client, professional legal advisor or third party, but only if a legal dispute is contemplated or ongoing. The latter applies only to confidential communications between a client and professional legal counsel for the purpose of obtaining or obtaining legal advice. The international transfer of personal data may take place with recipients from countries with an adequate level of protection of personal data. The level of protection of a country`s personal data is determined by assessing all the circumstances related to the nature, purpose and duration of the processing, the country of origin and final destination, as well as the legislation and security standards in force in the recipient country. No – a refusal to disclose privileged documents in response to an access request cannot be formally used to punish a company, and any attempt to do so would likely be a violation of fair trial. On the other hand, the DPO does not need to be a lawyer and has „only” the common law obligation to perform this role in a professional manner and in accordance with the law. In addition, he may need a number of non-legal skills. First, interpretations of this legislation have focused on how leadership in an organization could limit the independence of the DPO.
In accordance with its powers, the DPC may also apply to the High Court for a ruling on the privileged status of documentation. To make such a request, the CPD must have reasonable grounds to believe that the documents in question do not contain privileged material and have reasonable grounds to believe that they contain evidence of a violation of the GDPR. We do not yet know that the CDI has exercised its power to seek a court ruling on privilege. I continue to review DPO job postings here in the EU and am regularly frustrated by some organisations` understanding of DPO requirements under the GDPR. The most common mistakes are finding a DPO with too little experience (a few years is a common requirement), insufficiently broad work experience (focusing only on one of the many disciplines needed) and a lack of independence, with DPOs reporting to IT, legal or compliance organizations rather than the board of directors, as required by the GDPR. The CPD has not yet provided guidance on the scope of the narrative it requires. In our experience, many regulators expect regulated entities claiming privileges to provide detailed details in support of their claim, and much more in detail than would normally be required or ordered by a court in traditional litigation. Solicitor-client privilege is only available for communications that: However, without a court ruling on privilege, the CPD cannot force a controller to disclose documents for which he or she claims privileges. What upsets the balance between the two is the requirement to have specialist knowledge of data protection law and practice, which is to be expected from the lawyer, but not from the auditor. This requirement is more complicated than it seems, as it affects not only the GDPR, but also other EU laws such as the ePrivacy Directive (or its successor) and relevant cases, and probably also given the global interaction of organizations, data protection and other relevant laws, as well as the cases of many jurisdictions and the conflict-of-laws rules needed to determine which laws prevail. In an independent role, a DPO who provides legal advice and analysis and who is not a licensed lawyer may also be involved in the unauthorized practice of law. If they instead use the organization`s management consultant to carry out the legal analyses, the DPO can no longer be considered independent.
Although my article clearly does not say that the DPO must be a lawyer, such a professional will help solve a second problem in the answer. According to the GDPR, the DPO is required to have „in-depth knowledge of data protection law”. The Working Group on Article 29 of the DP stated in its December 2016 guidelines that DPOs „should not be tasked with taking a particular point of view on an issue related to data protection law, such as a particular interpretation of the law”. The DPO will independently provide legal advice on data protection law to the controller or processor in the course of his or her duties. If the DPO is not a lawyer, this could lead to him being involved in the unauthorized exercise of the right. Although this is a complex legal area that cannot be easily summarized, it appears that the majority of EU Member States and a significant number of non-EU Member States, including the United States of America, consider the provision of legal advice for compensation to be a „reserved” activity that can only legally be carried out by licensed legal professionals. Those in jurisdictions such as England, with its more limited number of legal activities reserved only for licensed lawyers, may not understand these legal restrictions from other countries. Controllers and processors should carefully consider whether to voluntarily provide legally inside information to the DPC and should obtain appropriate written assurances in advance that a voluntary provision does not constitute a waiver of legal secrecy and is protected against disclosure in future ancillary proceedings or investigations. In addition, the Data Protection Act 2018 prohibits DPC staff from disclosing confidential information obtained in the course of performing duties under the 2018 Act or the GDPR, unless required or permitted by law or duly authorised by the Data Protection Officer, and can therefore be part of an additional convenience that can be provided. Beyond these two professions, it becomes more complicated for organizations trying to fulfill the role of DPO with other types of professionals, multiple people and/or with a combination of in-house, hired and outsourced resources. As a general rule, organizations in such situations should adhere firmly and promptly to the following two rules.
First, they are not allowed to use anyone in the role of DPO who could cause a conflict of interest. For example, as a recent case in Germany has shown, the role of the IT manager is not adapted to the role of DPO under current German law, given the required independence of the DPO from IT operations. Second, any resource that fulfills the DPO`s role must have sufficient legal and technical expertise to conduct an independent assessment of the organization`s privacy practices, without relying primarily on the judgment of the organization`s employees. The explanatory note annexed to the general scheme of the bill stated that these exclusions were intended to „protect professional secrecy to the extent necessary and proportionate in a democratic society”. Since the role of the DPO is a sui generis role, audit reports would not normally benefit from the protection of professional secrecy. This, in turn, could force the DPO to testify in a court case involving his organization if he is obliged to provide the report as evidence. The 2020 Annual Report offers an interesting overview of how the CPD intends to challenge and/or challenge a claim of privilege. The CPD is free to challenge a claim of privileges and to effectively request access to the disputed documents on a voluntary basis in order to assess whether the claim is valid.
Case Study 4 of the 2020 Annual Report is an example of a case where, after reviewing the documents in question, the CDI concluded that it considered that a claim of litigation privilege had not been validly claimed. The Commissioner for the Right to Information and Data Protection (the „Commissioner”) is the independent Albanian authority responsible for monitoring and controlling the protection of personal data and the right to information while respecting and guaranteeing fundamental human rights and freedoms in accordance with the legal framework. Changing these hats should be done carefully, and the company should be aware of when the person takes instructions and gives advice as an in-house lawyer – which could be legally privileged – and when the person acts as a DPO in the performance of these duties. There isn`t too much knowledge or too much skill, so it`s a bonus if a DPO has skills and knowledge in one of the roles they often work with, such as human resources, legal marketing, IT, auditing, risk management, procurement, product development, sales, etc. It is becoming more and more important to understand new technologies, and more and more companies are certifying ISO 27001, so a DPD who gets information security controls and can handle things like algorithms, deep learning, encryption, etc. has an advantage.