Data protection officers

The data protection officer must be provided with sufficient time, tools and competencies for performing his or her duties. The data protection officer should also be given the opportunity to seek training.

The data protection officer or his or her team shall be involved in the handling of all questions related to data protection at the earliest stage possible.

The data protection officer should always be present when decisions affecting data protection are made. All relevant information shall be delivered to the data protection officer immediately so that he or she can give appropriate advice.

The data protection officer must have the possibility to report directly to the management. The data protection officer shall be regularly invited to high- and mid-level meetings.

The opinion of the data protection officer shall be given the appropriate weight. In case of a difference of opinion, the grounds on which the advice of the data protection officer was not followed should be documented.

The data protection officer shall be consulted as soon as possible on any personal data breaches or other issues concerning data protection.

Compliance with data protection regulations is the responsibility of the controller or processor. Data protection officers are not personally responsible for infringements of the General Data Protection Regulation.