• Courses
      • Executive Management Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Data Protection Academy
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Executive Management Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Data Protection Academy
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources
      • Date September 7, 2020

      Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

      Section 3.3. Instructions and ‘performing their duties and tasks in an independent manner’

      Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks.’ Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’.

      This means that, in fulfilling their tasks under Article 39, DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.

      The autonomy of DPOs does not, however, mean that they have decision-making powers extending beyond their tasks pursuant to Article 39.

      The controller or processor remains responsible for compliance with data protection law and must be able to demonstrate compliance. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions. In this respect, Article 38 (3) provides that the DPO ‘shall directly report to the highest management level of the controller or the processor’. Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.

      • Share:
      author avatar
      Richard V

      Previous post

      Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
      September 7, 2020

      Next post

      Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
      September 7, 2020

      You may also like

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3  Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2  Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
      29 November, 2020

      Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1  Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2023

      GADPPRO Academy 2023

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now