Data Protection Officer (DPO)
Home » The GDPR » Main Actors » Data Protection Officer (DPO)

Who are these actors?

The Data Protection Officer is a natural person that is professionally qualified to operate independently within an organization to ensure the application of the GDPR in that organization. DPOs therefore ensure the correct processing of personal data within a company, be it the personal data of its staff, its customers or other data subjects. Art. 37(1) GDPR lists circumstances in which and entities that are to appoint a DPO, such as public authorities that process data or instances where data subjects need to be monitored regularly. Art. 37 GDPR further states that a DPO should provide the professional qualities to fulfill its tasks and that DPOs contact details are to be provided to the supervisory authority. Subsequently, all EU institutions and bodies have an appointed DPO.[1] The EDPS states that a DPO should be “… an expert on data protection law and practices, and be in a position to operate independently within the organization.” [2]

What are their tasks?

It is the task of a DPO to ensure that the rights of data subjects, such as the staff, customers or other individuals, are protected by ensuring the correct application of the GDPR in an organization. The DPO should keep a record of the processing that is performed or controlled in that organization.

Furthermore, the DPO needs to ensure that controllers and data subjects know about their rights and responsibilities. This includes raising awareness on the GDPR and advising the controller on how best to implement it within the organization. This is done to create accountability for possible violations.

Should complaints or violations arise, the DPO has to handle such complaints and cooperate with the EDPS on how best to address them. Additionally, it is the task of the DPO to draw attention of the organization to any failure in complying with the GDPR.

What are their rights and responsibilities?

It is the responsibility of a DPO to ensure compliance with the GDPR when processing personal data. DPOs are responsible for ensuring that the rights of data subjects, e.g., Art. 12 – 23 GDPR such as the right of access and right to rectification, are not infringed upon. To do this, DPOs need to keep a register of the processing operations that are controlled or performed within their organization.

In order to fulfil the tasks mentioned above, DPOs should be provided with additional rights within their organization. DPOs should not be in a conflict of interest, which means that DPOs should not also be a processor or controller of data. DPOs should not be employees on a short contract and should not have to report to a direct superior as these circumstances could prevent a DPO from doing their job effectively. Instead, DPOs should be able to conduct their work independently and should report directly to the top-level management. Furthermore, DPOs should be responsible for managing their own budget and should receive the resources and staff they need to perform their work.[3] This includes having the authority to investigate independently within an organization or a research project.
 

References

1A list of the DPOs in EU institutions and bodies can be found here: “Network of DPOs”, https://edps.europa.eu/node/53 (last visited: 02.12.2020)

2https://edps.europa.eu/data-protection/data-protection/glossary/d_en (last visited: 02.12.2020)

3https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en

 

Skip to content