Authors: Stefan Drewes and Sebastian Bretthauer
- The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Art. 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Art. 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
A.General overview
Art. 39 provides an overview of basic tasks the DPO must fulfil. This assignment of tasks also applies to DPOs that are appointed voluntarily. This list reflects the role the DPO has in the company: auditing data processing activities and outlining any deficiencies to enable the relevant executive to take action in order to address these and prevent any further non-compliance by the organisation. In addition, the DPO outlines the options the company or an authority has when designing the data-processing. Nevertheless, the DPO is not personally responsible for any data-processing taking place within the organisation. It is up to the controller to ensure compliance with GDPR-requirements as required by Art. 24.
B.Specific considerations
Paragraph 1 includes a non-exclusive list of tasks assigned to the DPO. This can be extended with further tasks by individual agreement with the DPO or in a general way by policies of the controller. In addition to this also national legislator may assign further tasks to a DPO. These additional tasks must not conflict with the DPOS’s independence.
Due to a contractual regulation with external DPOs the area of responsibility of a DPO can be extended. In relation to external DPOs, their responsibilities may also be extended through their contract with the organisation. This extension must not undermine the positioning of the DPO in a company or conflict with his role as an independent controlling body inside the company or an authority. The transfer of additional tasks is limited and may not bring the DPO in a position where they become responsible for compliance with GDPR requirements.
I. Informing and advising on data protection obligations (lit. a)
To inform and advise the controller or the processor as well as employees carrying out data-processing is a basic task of DPOs according to para. 1 lit. a. The concepts of information and advice have a different purpose but overlap without any legal implications.
Informing a controller includes general communications and advice on relevant legal issues and developments, such as new legal requirements and new guidance from the EDPB, as well as new technical developments that may lead to privacy risks or, conversely, provide additional safeguards. This also includes an explanation of these regulations and the respective legal concepts. While providing information proactively, advising is aimed at addressing specific issues or issues that arise in the authority or company.
[…]