Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 5.13 What is the role of the DPO with respect to data protection impact assessmentsandrecordsof processing activities?
As far as the data protection impact assessment is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:
-
whether or not to carry out a DPIA
-
what methodology to follow when carrying out a DPIA
-
whether to carry out the DPIA in-house or whether to outsource it
-
what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
-
whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements
As far as the records of processing activities are concerned, it is the controller or the processor, not the DPO, who is required to maintain records of processing operations. However, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controlleror the processor. Such records should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.
Source: Article 39(1)(c) and Article 30 of the GDPR
