The GDPR sets out the tasks of the DPO, but that list is not exhaustive;
The DPO only plays an advisory and compliance monitoring role - it is not the DPO who decides on the implementation of technical and organisational measures;
When defining the scope of the DPO's duties, care should be taken not to create a conflict of interest (which would arise if the DPO were to review decisions that he or she has taken himself or herself).
Tasks of the DPO:
Article 39 sets out the duties of the DPO, the main of which are to:
Inform and advise the entity that has appointed him or her of its obligations under data protection legislation;
Monitor compliance with data protection legislation and the policies of the entity that appointed him or her;
Carry out awareness-raising activities and train staff involved in data processing operations and related audits.
The role of the DPO is to advise the entity that has appointed him or her and to monitor compliance. However, it is not the role of the DPO to actually make decisions and implement appropriate technical and organisational measures in the given institution or company (for example, developing personal data protection procedures). According to the GDPR, such tasks are the responsibility of the controller or processor. A different approach could lead to a conflict of interest, as described in the Commentary to Article 38, as the DPO would be exercising de facto control over actions and decisions that he or she has taken himself or herself. Therefore, although the list in Article 39 is not exhaustive, as PUODO points out in the National Report of the Polish Supervisory Authority,
GDPR Article 38(6) should always be taken into account when imposing other tasks on the DPO, i.e. that the tasks imposed by the controller on the DPO should not give rise to a conflict of interest.
What the DPO does not do:
PUODO has explicitly stated that:
The controller should not consent to the DPO authorising the processing of personal data on behalf of the controller.
First of all, the obligations set out in GDPR Articles 29 and 32(1) and (4) are the obligations of the controller. (...) Indeed, such persons should have the best knowledge of the organisation of work in their entity and thus determine in the most appropriate way to whom and to what extent the relevant data processing authorisation should be granted. Therefore, in order to ensure an adequate data protection system in the entity, the most appropriate solution would be for the data processing authorisation to be granted by the controller (processor) himself or, depending on the size of the entity and its structure, by, for example, the head of the human resources department or the heads of other organisational units. This is because these persons are in the best position to determine to whom and to what extent the authorisation should be granted and to update it on an ongoing basis. The role of the DPO, on the other hand, focuses on monitoring compliance with data protection legislation and internal policies and the proper implementation of the resulting obligations, as well as providing advice and raising awareness of these obligations. Therefore, the DPO should not be the only person to perform the duties set out in GDPR Articles 29 and 32(1) and (4). This would create a conflict of interest, which is prohibited for DPOs by GDPR Article 38(6). Instead, the role of the DPO may be to advise or consult on the solutions that the controller (or processor) intends to adopt with regard to the implementation of the duties set out in GDPR Articles 29 and 32(1) and (4), including, for example, the procedures for granting processing authorisations or the content of those authorisations. The role of the DPO is therefore to assist the controller in complying with and properly applying data protection legislation, and not to assist the controller in the performance of his or her tasks (source: PUODO website).
The DPO should not draft the data entrustment agreement.
If the DPO were to draft a data entrustment agreement to which the entity that has appointed the DPO is a party, this would imply that the DPO is involved in the decision-making process on the design of this contractual relationship. In the opinion of PUODO, this situation would also lead to a conflict of interest, since
[the DPO] (...) would first determine the form of the relationship between the controller and the processor, as well as the rights and obligations of the parties to the agreement, and then, in the course of performing his or her duties, would at the same time be required to assess the correctness and compliance of the decisions taken in this respect.
The DPO should not maintain a record of personal data processing activities.
According to GDPR Article 30(1), the controller should maintain a record of personal data processing activities under his or her responsibility. Interestingly, in the Guidelines on Data Protection Officers, the Article 29 Working Party considered that
nothing prevents a controller or processor from entrusting the IOD [i.e. DPO - editor's note] with maintaining, on behalf of the controller or processor, a record of data processing activities. Such a record should be seen as one of the tools enabling the DPO to fulfil his or her tasks of monitoring compliance and informing and advising the controller or processor.
However, PUODO takes a different view stating that the DPOcan only assist thecontroller in maintaining the record, for example by providing advice, rather than actually maintain it himself or herself.
It is the role of the controller, not the DPO, to develop an internal policy on the protection of personal data.
(...) to assess the measures taken by the controller (including internal policies) in terms of their compliance with the law and their effectiveness. (...) When developing data protection policies, it is advisable for the controller to seek the advice and guidance of the Data Protection Officer (DPO), who has expertise in data protection law and practice (...).
However, this is where the role of the DPO ends - it is the controller's responsibility to implement organisational measures, including, in particular, internal policies.
What does it mean for the DPO to perform his or her duties with due regard to risk:
According to the commented provision, the DPO shall perform his or her duties with due regard to the risk involved in data processing operations, taking into account the nature, scope, context and purposes of the processing. Both PUODO and the Article 29 Working Party point out that, in practice, this means that the DPO should prioritise his or her activities, depending on the needs of the given institution or company in which he or she is appointed, and focus on the areas with the highest risk for that institution or company.
Commentary to art. 39
Tasks of the Data Protection Officer
Tasks of the DPO:
Article 39 sets out the duties of the DPO, the main of which are to:
The role of the DPO is to advise the entity that has appointed him or her and to monitor compliance. However, it is not the role of the DPO to actually make decisions and implement appropriate technical and organisational measures in the given institution or company (for example, developing personal data protection procedures). According to the GDPR, such tasks are the responsibility of the controller or processor. A different approach could lead to a conflict of interest, as described in the Commentary to Article 38, as the DPO would be exercising de facto control over actions and decisions that he or she has taken himself or herself. Therefore, although the list in Article 39 is not exhaustive, as PUODO points out in the National Report of the Polish Supervisory Authority,
What the DPO does not do:
PUODO has explicitly stated that:
If the DPO were to draft a data entrustment agreement to which the entity that has appointed the DPO is a party, this would imply that the DPO is involved in the decision-making process on the design of this contractual relationship. In the opinion of PUODO, this situation would also lead to a conflict of interest, since
According to GDPR Article 30(1), the controller should maintain a record of personal data processing activities under his or her responsibility. Interestingly, in the Guidelines on Data Protection Officers, the Article 29 Working Party considered that
However, PUODO takes a different view stating that the DPO can only assist the controller in maintaining the record, for example by providing advice, rather than actually maintain it himself or herself.
According to PUODO, the role of the DPO is
However, this is where the role of the DPO ends - it is the controller's responsibility to implement organisational measures, including, in particular, internal policies.
What does it mean for the DPO to perform his or her duties with due regard to risk:
According to the commented provision, the DPO shall perform his or her duties with due regard to the risk involved in data processing operations, taking into account the nature, scope, context and purposes of the processing. Both PUODO and the Article 29 Working Party point out that, in practice, this means that the DPO should prioritise his or her activities, depending on the needs of the given institution or company in which he or she is appointed, and focus on the areas with the highest risk for that institution or company.
Selected decisions of supervisory authorities:
PUODO’s admonition - the given entity obliged the