The primary role of the data protection officer (DPO) is to ensure that their organization processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. EU bodies and institutions have already had to conform to this requirement for quite some time. Now that the GDPR applies, many more organizations must appoint a DPO or should seriously consider it in the interest of the organization.
Role and position
A controller or processor having appointed a DPO is obliged to involve him or her ‘properly and in a timely manner, in all issues which relate to the protection of personal data’ (GDPR article 38). According to this same article, DPOs have an independent management role in their organization with adequate resources. They also report directly to the highest management level. This is important because the DPO must be able to operate autonomously. It is not permitted for a DPO to be instructed on how to exercise his or her tasks. This also ensures that management and the board are aware of the advice and recommendations of the DPO. The DPO is protected by the GDPR; they cannot be dismissed or penalized by the controller or the processor for performing their tasks.
The autonomy of the DPO does not, however, mean that they have decision making powers extending beyond their tasks pursuant to GDPR article 39. Neither are DPOs personally responsible in case of non-compliance with the GDPR. Data protection compliance is a responsibility of the controller and the processor.
It is permitted for a group of underlings to designate a single DPO. In this case, it must be ensured that the DPO is ‘easily accessible’ and that the DPO is able to carry out the required tasks efficiently (if necessary with the aid of a team). It is also essential that the DPO is able to communicate efficiently with data subjects and cooperate with supervisory authorities. This means that communication must take place in the language or languages used by the supervisory authorities and data subjects concerned. Keeping these preconditions in mind, it is also permitted to hire an external DPO on the basis of a service contract.
Tasks of the DPO
The main role of the DPO is ‘to monitor compliance to the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits’ (GDPR art. 39). This includes informing the controller or processor and their employees carrying out processing of their legal obligations.
Though it is the task of the controller to carry out a data protection impact assessment (DPIA), the DPO can have an important role in assisting the controller. They can provide advice when requested and monitor the DPIAs performance.
The DPO acts as the contact point for the supervisory authority regarding issues relating to processing, cooperates with them if needed and, where required, consults them with regard to privacy and data protection issues.
The DPO does not officially have a record-keeping obligation according to the GDPR. It is the controller or the processor who is required to ‘maintain a record of processing operations’ (GDPR art. 30).
Requirements of a DPO
According to the GDPR, the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks (…). The EDPB adds to that in their ‘Guidelines’ that the necessary level of expert knowledge should be determined according to the level of complexity of the data processing carried out. For complex processing operations or cases where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
 Details of whether designation of a DPO is required can be found in GDPR article 37 and in more detail in the Guidelines on Data Protection Officers (DPOs), published by the European Data Protection Board (EDPB – formerly known as Working Party on the Protection of Individuals with regard to the Processing of Personal Data or ‘WP29’)
This article has been written by guest author Leo Besemer.