Data protection officer under the GDPR

The GDPR introduces an obligation for many entities to appoint a Data Protection Officer (DPO). This obligation may apply to controllers and processors. In general, it applies to all the public authorities or bodies (except for courts acting in their judicial capacity) and to entities that process the personal data as a matter of usual practice. The GDPR specifically provides that the DPO must be designated by the controllers/processors, whose core activities consist of processing

  • that requires regular and systematic monitoring of data subjects on a large scale or
  • special categories of data and data related to criminal convictions on a large scale

The DPO may be an employee of the controller/processor (internal DPO) or it may complete its tasks on the basis of a service contract concluded with an individual or an organization (external DPO). The controller/processor should make a choice between an internal or external DPO depending on the size of its company, its data processing activities and available budget.

The GDPR does not explicitly regulate the form in which the DPO would need to be appointed. A written designation is thus not mandatory, however, strongly advised. Still, the controller/processor must publish the DPO’s contact details (i.e., on the company’s website) and communicate them to the Supervisory Authority. It is required because the DPO is the link between the controller/processor and the data subjects (inside and outside the company), as well as the Supervisory Authority.

In accordance with Art. 37(5) GDPR, the DPO must be designated on the basis of its

(1) professional qualities,

(2) expert knowledge of data protection laws and

(3) ability to fulfil the statutory responsibilities.

The GDPR does not further clarify what exactly is meant by these criteria. However, the WP29 issued some guidance in this regard available at: https://ec.europa.eu/newsroom/document.cfm?doc_id=43823.

In accordance with the WP29 guidelines, the DPO must be a (national and EU) data-protection-law expert with a comprehensive knowledge of the GDPR. Although a strong legal background is necessary, the tasks of the DPO also include many non-legal elements. Notably important will be a strong technical understanding to properly assess IT issues and risks associated with the use of these systems. Further, a good knowledge of the local language will be substantial for communication with the Supervisory Authority and data subjects.

Irrespective of whether the designation of a DPO is mandatory or voluntary, Art. 38 (1-3) GDPR formulates a few guarantees to ensure that the DPO is able to appropriately perform its duties. These guarantees include

  • timely involvement of the DPO
  • support of the DPO’s performance of its statutory tasks
  • independence of the DPO

Tasks

The main tasks of the DPO are listed in Art. 39 GDPR and include:

  • informing and advising the company and employees who carry out processing about their data-protection obligations
  • monitoring compliance with the data-protection laws and the company’s data-protection policies (including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits)
  • advising when requested on the DPIA and monitoring its performance
  • contact point and cooperation with the Supervisory Authority on issues related to processing, including the prior consultation
  • contact point for the data subjects

DPO are also allowed to be involved in other duties, provided they do not lead to a conflict of interests.

Liability

The DPO, because of its role as an advisor, is not personally liable for non-compliance with the GDPR. Rather, it is the data controller’s/processor’s responsibility to correctly fulfill the data- protection provisions (Art. 24(1) GDPR).

It is important to note, however, that the MS may choose to provide for the DPO’s personal liability in their national laws.

Nevertheless, the DPO remains liable within its area of responsibility. Consequently, it may be possible for the controller/processor to obtain compensation, if the DPO breaches its obligations.