Data protection officers
A data protection officer is an expert within the organisation, who monitors the processing of personal data and provides advice on compliance with data protection regulations.
The data protection officer
- monitors compliance with data protection rules across the organisation and highlights any deficiencies
- provides management and the employees that process personal data with information and advice on their duties specified in the data protection rules
- gives advice on carrying out the data protection impact assessment and monitors its implementation
- serves as the contact person for data subjects in matters related to the processing of personal data and
- is the point of contact with the Office of the Data Protection Ombudsman and cooperates with the Office.
Instructions for organisations and managers that have designated a data protection officer
The data protection officer must be given the support required by data protection legislation. The organisation must cooperate with the data protection officer in building an appropriately comprehensive and independent role for the officer.
The data protection officer must be provided with the resources – time, tools and competence – required for the appropriate performance of their duties. The data protection officer must have the opportunity to update their competence through training. The EU's new digital and AI legislation should be taken into account in the training if relevant for the data protection officer's duties.
The data protection officer should have a deputy, because personal data breach notifications and fulfilling the rights of the data subject may not be delayed due to the data protection officer's absence.
The data protection officer or his or her team shall be involved in the handling of all questions related to data protection at the earliest stage possible.
The data protection officer must be given all relevant information without delay so that they can provide appropriate advice. The data protection officer should always be present when decisions affecting data protection are made.
The data protection officer's duties and obligations should be defined clearly and in writing, and the organisation's personnel must be informed of them.
The data protection officer must have the possibility to report directly to senior management. The data protection officer shall be regularly invited to high- and mid-level meetings.
The opinion of the data protection officer must always be given the appropriate weight. In case of a difference of opinion, the grounds on which the advice of the data protection officer was not followed should be documented.
The data protection officer must be consulted as soon as possible if a personal data breach or other issue concerning data protection is detected.
Data protection officers are not personally responsible for infringements of the GDPR. Compliance with data protection regulations is the responsibility of the controller or processor.
The data protection officer must be independent and may not have conflicts of interest in their duties as data protection officer. As every organisation is unique, such conflicts of interest must be examined on a case-by-case basis. In other words, the data protection officer cannot hold a position in which they are required to determine the purposes and means of processing personal data, as that is the controller's duty.
The data protection officer must not be instructed on how to perform their duties. The data protection officer may not be dismissed or punished for the performance of data protection duties.
Read more:
Instructions for organisations and managers that have designated a data protection officer (pdf)
Designation of the data protection officer
GDPR: Articles 37‒39, recital 97 (EUR-Lex)
Guidelines on Data Protection Officers (pdf)
Report: Designation and Position of Data Protection Officers (edpb.europa.eu)