The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter
Article 39(2) requires that the DPO ‘have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing’.
This article recalls a general and common sense principle, which may be relevant for many aspects of a DPO’s day-to-day work. In essence, it requires DPOs to prioritise their activities and focus their efforts on issues that present higher data protection risks. This does not mean that they should neglect monitoring compliance of data processing operations that have comparatively lower level of risks, but it does indicate that they should focus, primarily, on the higher-risk areas.
Under Article 30(1) and (2), it is the controller or the processor, not the DPO, who is required to ‘maintain a record of processing operations under its responsibility’ or ‘maintain a record of all categories of processing activities carried out on behalf of a controller’.
In practice, DPOs often create inventories and hold a register of processing operations based on information provided to them by the various departments in their organisation responsible for the processing of personal data. This practice has been established under many current national laws and under the data protection rules applicable to the EU institutions and bodies.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018