What are the responsibilities and requirements of a Data Protection Officer (DPO)?

Owned by Heather Hartman (Unlicensed)
Oct 31, 2018
2 min read

Disclaimer

This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

This post covers the bare minimum you need to know about the appointing a Data Protection Officer and their duties. If you are unsure whether or not you need one, read this post.

The DPO is one of the key positions for achieving compliance with GDPR. There are some formal requirements on the DPO set in GDPR Art 37 (5). The DPO has to be a professional with expert knowledge on data protection law and practices. In addition to that, the DPO must be able to fulfil a minimum number of tasks.

GDPR Art. 39 describes these tasks. They are as follows:

  1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other relevant data protection laws;
  2. to monitor compliance with GDPR and other relevant data protection laws and with the organisation policies of the controller or processor in relation to the protection of personal data. This includes the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice and monitor performance where requested as regards to the data protection impact assessment (DIPA);
  4. to act as the contact point for the supervisory authority on issues relating to processing, including and other relevant data protection matters and to cooperate with supervisory authority.

This is only the minimal set of responsibilities of the DPO. The DPO can be given other duties as long as they don’t result in conflict of interest.

The DPO must stay up to date with data protection laws and regulations and you (the employer) must provide the means to do so. For example, this might mean taking relevant courses on the subject.

DPOs are meant to perform their tasks in an independent manner, meaning that you may not give them instructions nor influence them in any way. However, you must ensure that the DPO is involved, properly and in a timely manner, in all issues related to the protection of personal data. You must provide all the necessary support and resources necessary for carrying out the DPO’s tasks. The DPO shall directly report to the highest level of management. The DPOs may not be dismissed or penalised by controller/processor (you) for performing their tasks.

Note that the last requirement gives the DPO a relatively simple way to cause you various legal trouble even if you decide to fire them for completely legitimate reasons. Pay special care when appointing the DPO and also when firing them – the latter turns out to be quite difficult under GDPR.

You are allowed to hire a DPO or you can buy DPO services in on the basis of service contract. Once you have designated your DPO you must publish the contact details of the DPO and communicate them to the supervisory authority.


Maarja Lehemets

Lawyer @ Triniti
maarja.lehemets@triniti.ee