The main tasks of the DPO
The duties of the Data Protection Officer (DPO) are governed by Article 39 of the RGPD (General Data Protection Regulation).
The DPO is mainly responsible for :
- informing and advising the controller or processor and their employees;
- monitoring compliance with the Regulation and national law on data protection;
- advising the organisation on carrying out a data protection impact assessment and checking that it has been carried out;
- cooperating with the supervisory authority and being the point of contact for the latter.
The DPO's duties cover the all processing carried out by the organisation that has appointed him/her.
The procedures for appointing a DPO can be found in this article
Monitoring compliance with the GDPR
The DPO has the significant task of monitoring compliance with the GDPR.
The GDPR goes even further, in Recital 97 it instructs the DPO to assist the controller or processor in checking internal compliance with this Regulation.
What is meant by "checking compliance with the GDPR"? This can mean:
- collecting information enabling processing activities to be identified;
- analysing and verifying the compliance of processing activities; -informing, advising and making recommendations to the controller or processor.
Please note: the DPO's control of the GDPR does not mean that he/she will be personally liable in the event of non-compliance.
The DPO's impact assessment and advisory role
The responsibility for carrying out an impact analysis, if necessary, lies with the data controller.
However, as part of his advisory role, the DPO may be called upon by the controller.
The DPO thus provides advice, on request, regarding the data protection impact assessment in accordance with Article 39 of the GDPR.
The former G29, now replaced by the European Data Protection Supervisory Board (EDPB) recommends that the controller seek advice from the DPO on the following issues in particular:
whether or not it is appropriate to carry out a data protection impact assessment; the methodology to be followed when carrying out a data protection impact assessment; whether the data protection impact assessment should be carried out in-house or outsourced**; the measures (including technical and organisational measures) to be applied to mitigate any risks to the rights and interests of data subjects; whether the data protection impact assessment has been properly carried out and whether its conclusions (whether or not to proceed with the processing and the safeguards to be put in place) comply with the GDPR.
In the event of disagreement between the data controller and the opinion provided by the DPO, the reason why the DPO's opinion was not adopted must be documented and justified in writing.
Risk-based approach and DPO
This approach encourages the DPO to establish priorities in the activities carried out and concentrates his efforts on subjects representing a high risk in terms of data protection.
Caution: this means that the DPO will, in the first instance, concentrate on the sectors and processing operations presenting a high level of risk ;
In no case will the DPO neglect to check the compliance of processing operations presenting a lower level of risk.
This selective approach should help DPOs to advise the controller on :
- the method to be used when conducting a data protection impact assessment,
- the areas that should be subject to an internal or external data protection audit,
- the training activities to be offered to staff or management members responsible for data processing activities
- the processing operations to which it should devote a greater proportion of its time and resources.
Role of the DPO in keeping the register
In theory, under Article 30(1) and (2) of the GDPR, it is the Controller or Processor, not the DPO, who must:
- keep a record of the processing activities carried out under his responsibility
- or a record of all categories of processing activities carried out on behalf of the controller.
In practice, it is often the DPO who makes inventories and keeps a register of processing operations on the basis of the information provided to them.
Article 39(1) sets out a list of tasks which the DPO must at least be entrusted with.
Consequently, nothing prevents the controller or processor from entrusting the DPO with the mission of keeping the register of processing operations carried out under the responsibility of the controller or processor.
This register is thus considered to be a tool enabling the DPO to carry out his duties of monitoring compliance with the GDPR as well as carrying out his mission of informing and advising the controller or processor.
In any event, the record of data processing activities (ROPA) is also a tool enabling the controller and the supervisory authority to have, on request, an overview of all personal data processing activities carried out by an organisation.
Cooperation with the supervisory authority
One of the delegate's other tasks is to be the point of contact for the data protection authority and to cooperate with it.
In this capacity, the DPO must facilitate access by the authority to documents and information in the context of the exercise of the authority's tasks and powers.
For example :
- during exchanges with the authority in the investigation of a complaint,
- or when clarification is needed on a current project
- or as part of an inspection by the authority.
The delegate's obligation of confidentiality or professional secrecy must not prevent him/her from asking the authority for advice on any subject, if necessary.
To continue, discover the 4 stages of appointing a DPO