Authors: Stefan Drewes and Sebastian Bretthauer

1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection officer in performing the tasks referred to in Art. 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

 

A. General overview

Art. 38 establishes the position of a DPO in the organisation and must be read together with Art. 39 where the tasks of the DPO are defined.[1] Any data processing, in particular any new processing to be introduced, must involve the DPO who should act with independence.[2]

It is crucial that the controller involves the DPO properly and in a timely manner in all issues which relate to the protection of personal data. This requires the controller to actively involve with the DPO in order to ensure an appropriate and effective exercise of their tasks. Due to this regulation all data protection issues are subject to an assessment by the DPO.

The controller should proactively involve the DPO in good time, so that the DPO has the opportunity to consider the proposed processing and to advise the controller on any data protection requirements. There must be a real chance that any recommendations of the DPO are implemented prior to processing commences. There should be internal processes in place to ensure the controller involves the DPO in a timely manner.

The controller and the processor must ensure the DPO receives all relevant information needed to assess the data processing in question.[3] This includes a description of the data processing being contemplated and the purpose(s) of the processing. The DPO needs further information regarding the source of any personal data and how they were (or are to be) collected, including the information to be presented to the data subject according to Art. 13 and 14. In addition, information about applications used for processing personal data and an overview about the relevant IT infrastructure are necessary for the DPO to properly assess the data-processing.

 

II. Support of the DPO (para. 2)

 

Paragraph 2 ensures the effective fulfilment of tasks as outlined in Art. 39 by the DPO.[4] Controllers and processors must provide the information needed for the DPO to understand the organisation and its personal data processing. This should include an overview of the IT systems, processes and data flows.[5] The information required by para. 2 goes beyond that the organisation is required to maintain by Art. 30. The records of processing activities just give a basic orientation for the DPO, enabling them to focus on some aspects of the organisation’s data processing activities. The obligation to support the DPO includes ensuring they have the time necessary to fulfil the tasks as prescribed in Art. 39. Failure to do so could have a detrimental impact on their ability to properly fulfil these tasks and act in an independent manner.

 

 

 

 

[…]

 

 

 

 

[1]In detail see also Drewes, ‘Art. 38’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 6 et seq.; Alvarez Rigaudias/Spina, ‘Art. 38’, in Kuner/Bygrave/Docksey, 701 et seq.

[2]Also Bergt in Buchner/Kühling, Art. 38 para. 1 et seq.

[3]Drewes, ‘Art. 38’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 17.

[4]Alvarez Rigaudias/Spina, ‘Art. 38’, in Kuner/Bygrave/Docksey, 706 et seq.

[5]Drewes, ‘Art. 38’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 21.