It is crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPO when carrying out such impact assessments. In addition, it is important that the DPO be seen as a discussion partner within the organisation and that he or she is part of the relevant working groups dealing with data processing activities within the organisation.
Consequently, the organisation should ensure, for example, that:
- the DPO is invited to participate regularly in meetings of senior and middle management.
- his or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.
- the opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice.
- the DPO must be promptly consulted once a data breach or another incident has occurred.
Where appropriate, the controller or processor could develop data protection guidelines or programmes that set out when the DPO must be consulted.
Article 38(2) of the GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’. The following items, in particular, are to be considered:
- active support of the DPO’s function by senior management (such as at board level).
- sufficient time for DPOs to fulfil their duties. This is particularly important where the DPO is appointed on a part-time basis or where the employee carries out data protection in addition to other duties. Otherwise, conflicting priorities could result in the DPO’s duties being neglected
- adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate.
- official communication of the designation of the DPO to all staff to ensure that their existence and function is known within the organisation.
- necessary access to other services, such as Human Resources, legal, IT, security, etc..
- continuous training. DPOs should be given the opportunity to stay up to date with regard to developments within data protection.
- given the size and structure of the organisation, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor. The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks pursuant to Article 39.
The controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO's advice, the DPO should be given the possibility to make his or her dissenting opinion clear to those making the decisions.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018