A data protection officer (DPO) is a natural or legal person who is responsible for compliance with the Data Protection Act in the company.
The data protection officer can be either an internal or an external employee. The data protection officer must have appropriate expertise in the field of data protection practice and data protection law.
He or she must also have organisational, technical and legal knowledge and be able to easily perform the minimum tasks under Art. 39. Furthermore, he must have the ability to design, implement and manage a data protection management system.
Obligation to appoint a data protection officer (Art. 37)
According to Art. 37, Para. 1 of the GDPR, the controller and the processor must appoint a data protection officer in any case if:
- the processing is carried out by a public authority or body, with the exception of courts acting in the exercise of their judicial functions,
- the core activity of the controller or processor consists in carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or
- the core activity of the controller or processor consists in the extensive processing of special categories of data pursuant to Art. 9 or of personal data relating to criminal convictions and offences pursuant to Art. 10.
Publication of the contact details of the Data Protection Officer
The contact details of the data protection officer must be published and he must be registered with the supervisory authority.
The GDPR distinguishes between names and contact details. In order to comply with the publication obligation, it is sufficient if the controller only publishes the address and the functional mailbox. The name of the DPO is not mandatory, but is recommended as a confidence-building measure.
The controller must also ensure that data subjects can contact the DPO at the email address provided if they have questions about the processing of their personal data and the exercise of their rights under the GDPR. He must also ensure that the inbox is checked regularly and that data subjects receive a reply as soon as possible.
Position of the Data Protection Officer (Art. 38)
The controller and processor must ensure that the data protection officer is properly involved at an early stage in all matters related to the protection of personal data, for example:
- the purchase and introduction of new software products;
- the development of new internal products;
- the design of the marketing strategy;
- the verification of the GDPR compliance of the potential partners.
The DPO must be provided with all the necessary resources to do his job productively and without hindrance, e.g.:
- Rooms, equipment & resources;
- Support staff;
- Access to personal data and processing operations.
He must also be enabled to comply with his expertise, e.g.:
- Continuing education;
- Technical literature.
In addition, the controller and processor must ensure that the data protection officer does not receive any instructions regarding the performance of his/her tasks. He or she may not be dismissed or subcontracted for the performance of these tasks. The DPO reports to the highest management or the processor, but has no decision-making power.
The DPO may also perform other tasks and duties in the company in addition to his or her data protection activities. However, it must be ensured that these tasks and duties do not lead to a conflict of interest.
Tasks of the Data Protection Officer (Art. 39)
The Data Protection Officer shall have at least the following tasks (Art. 39, para. 1):
- Informing and advising the controller or processor and employees regarding their obligations under the GDPR as well as other data protection regulations;
- Monitoring of GDPR compliance as well as compliance with other data protection regulations;
- Monitoring the personal data protection policies of the controller or processor;
- Awareness raising and training of staff involved in processing operations;
- Advising the controller (upon request) in connection with the data protection impact assessment and monitoring its implementation;
- Cooperation with the supervisory authority;
- Contact point for the supervisory authority on data processing issues, including prior consultation under Art. 36.
If you have not yet analysed your security level with our free application, register here!