The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. In the EU institutions and bodies, the applicable Data Protection Regulation (Regulation (EC) 45/2001) obliges them each to appoint a DPO. Regulation (EU) 2016/679, which obliges some organisations in EU countries to appoint a DPO, will be applicable as of 25 May 2018.
Appointing a DPO
The appointment of a DPO must of course be based on her personal and professional qualities, but particular attention must be paid to her expert knowledge of data protection. A good understanding of the way the organisation operates is also recommended.
Position of the DPO in the organigramme
The DPO is an integral part of the organisation, making her ideally placed to ensure compliance. Nevertheless, the DPO should be able to perform her duties independently. In the EU institutions and bodies, there are a number of assurances guaranteeing this independence:
The applicable rules for EU institutions and bodies expressly provide that the DPO shall not receive any instructions regarding the performance of her duties;
There must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any. To avoid conflict, it is recommended that:
- a DPO should not also be a controller of processing activities (for example if she is head of Human resources)
- the DPO should not be an employee on a short or fixed term contract
- a DPO should not report to a direct superior (rather than top management)
- a DPO should have responsibility for managing her own budget.
The organisation must offer staff and resources to support the DPO to carry out her duties. In this respect, DPOs in EU institutions and bodies can be seconded by an assistant or deputy DPO, and can rely on data protection coordinators (DPCs) in each section of the organisation. Access to resources also includes training facilities.
The DPO should have the authority to investigate. In EU institutions and bodies, for instance, DPOs have immediate access to all personal data and data processing operations; those in charge are also required to provide information in reply to her questions.
A minimum term of appointment and strict conditions for dismissal must be set out by the organisation for a DPO post. In the EU institutions and bodies, the DPO is appointed for a period between 2 and 5 years, may be reappointed for up to a maximum of 10 years and can be dismissed only with the consent of the EDPS.
Tasks of the DPO
The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:
Ensure that controllers and data subjects are informed about their data protection rights, obligations and responsibilities and raise awareness about them;
Give advice and recommendations to the institution about the interpretation or application of the data protection rules;
Create a register of processing operations within the institution and notify the EDPS those that present specific risks (so-called prior checks);
Ensure data protection compliance within her institution and help the latter to be accountable in this respect.
Handle queries or complaints on request by the institution, the controller, other person(s), or on her own initiative;
Cooperate with the EDPS (responding to his requests about investigations, complaint handling, inspections conducted by the EDPS, etc.);
Draw the institution’s attention to any failure to comply with the applicable data protection rules.