When a Data Protection Officer is appointed by a company or a public authority whether voluntarily or because of a legal requirement (see article about when it is required to appoint a DPO here), the GDPR provides for some requirements to be met.
Therefore any controller or processor willing or having to appoint a DPO should pay attention to the following points:
- The contractual relationship between the DPO and the Controller or Processor
- The required skills and level of expertise of the DPO
- The position of the DPO within the company organisation and the resources to be allocated
Contractual relationship between the DPO and the controller(s) or processor(s)
It is not necessarily required to appoint a DPO per company, especially within a group. Therefore, a single DPO may be appointed for several undertakings in the following cases:
- A group of undertakings (e.g. a group of companies) as long as (s)he is easily accessible from each establishment.
- Public authority or body taking into account of their organisational structure and size.
- Entity representing categories of controllers or processors
Furthermore, the data protection officer may:
- be a staff member of the controller or processor, or fulfill his/her tasks on the basis of a service contract.
- work as part of a team or alone depending on the needs
- perform their tasks on a full or part time basis and be in charge of other activities. However, conflict of interest of any kind must be avoided (e.g. it should never be in a position to determine the means and the purposes of a processing carried out by the company).
Skills and Expertise of the DPO
The level of expertise required is not defined in the GDPR and should vary depending on the complexity of the organisation and more particularly of its data processing activities.
It is expected that the DPO have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. Therefore DPO with legal background should be preferred.
It should also have sufficient knowledge of the business sector and of the organization of the controller as well as good understanding of the processing operations carried out including information system and data security as well as data protection needs of the controller or processor.
Where (s)he is appointed by a public authority or body, the DPO should also have knowledge of the administrative rules and procedures of the organization.
Position of the DPO within the controller or processor’s organisation when carrying out their mission:
According to the article 38 of the GDPR, the DPO must be involved in all issues relating to the protection of personal data.
Necessary resources must be allocated to enable the DPO to fulfill their mission. In practice, it is expected that DPOs receive active support by senior management, sufficient time, financial resources, infrastructure and staff where appropriate as well as continuous training.
The DPO should act in an independent manner and it is required that they should not receive any instructions regarding the exercise of their tasks.
It is not possible to impose penalties on the DPO as result of the DPO carrying out their duties. These prohibited penalties may take different forms from dismissal to a mere threat.