Section 4 of the GDPR outlines the requirement for applicable firms to appoint a data protection officer (CPO). All emphasis added unless otherwise stated.
When a DPO must be appointed
According to Article 37(1), data controllers and processors shall designate a DPO where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Most firms required to appoint a DPO would fall under subparagraphs (b) and (c).
Learn more about special data categories here.
Responsibilities of controllers/processors
- The DPO shall be involved in all issues relating to the protection of personal data (38.1)
- The DPO shall receive resources necessary to execute his/her duties, and to maintain expert knowledge (i.e. ongoing training) (38.2)
- The DPO shall be reachable by data subjects regarding the processing of their personal data (38.4) and the supervisory authority (37.7)
- The DPO shall neither receive instructions on nor be dismissed or penalized for the exercise of his/her duties (38.3)
- The DPO shall report to the highest management level (38.3)
- The DPO shall be designated in particular on expert knowledge of data protection law and ability to fulfill his/her duties (37.5)
- The DPO may fulfill other tasks and duties beyond the GDPR, provided that they do not constitute a conflict of interest (38.6)
- The DPO may be employed or contracted (37.6). This opens the doors for controllers/processors to hire outsourced specialty firms to manage the DPO requirement.
Responsibilities of DPOs
Article 39 outlines five minimum tasks that the DPO must perform:
- Inform and advise firms and employees who carry out data processing on applicable data protection provisions
- Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
- Advise on data protection impact assessment (DPIA)
- Cooperate with the supervisory authority
- Serve as main contact for the supervisory authority
The GDPR additionally admonishes the DPO to carefully consider the risks associated with data processing:
- “The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.” (38.5)
- “The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.” (39.2)