Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Categories Blog, Business, Design / Branding, Free Data Protection Resources
Date September 7, 2020

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Section 4.5. Role of the DPO in record-keeping

Under Article 30(1) and (2), it is the controller or the processor, not the DPO, who is required to ‘maintain a record of processing operations under its responsibility’ or ‘maintain a record of all categories of processing activities carried out on behalf of a controller’.

In practice, DPOs often create inventories and hold a register of processing operations based on information provided to them by the various departments in their organisation responsible for the processing of personal data. This practice has been established under many current national laws and under the data protection rules applicable to the EU institutions and bodies.

Article 39 (1) provides for a list of tasks that the DPO must have as a minimum. Therefore, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the record of processing operations under the responsibility of the controller or the processor. Such a record should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.

In any event, the record required to be kept under Article 30 should also be seen as a tool allowing the controller and the supervisory authority, upon request, to have an overview of all the personal data processing activities an organisationis carrying out. It is thus a prerequisite for compliance, and as such, an effective accountability measure.