Introduction Guidelines Data Protection Officers DPO
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 1 Introduction
The General Data Protection Regulation (‘GDPR’) due to come into effect on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe.
DPO’s at the heart of GDPR
Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR. Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that-as a core activity -monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts.
Concept of Data Protection Officer is not new
The concept of DPO is not new. Although Directive 95/46/EC3 did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years.Before the adoption of the GDPR, the WP29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses.4In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessments and carrying out or facilitating audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and businessunits within an organisation). DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.
Crucial role of data controller and processor
The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively. The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States.The WP29 will monitor the implementation of these guidelines and may complement them with further details as appropriate.
