Data Protection Officer (DPO)

What does a Data Protection Officer do?

A Data Protection Officer has the following duties under Article 39 of the General Data Protection Regulation:

• Inform and advise the organization and its employees about their obligations under the GDPR and other data protection laws.

• Monitor compliance with the GDPR and other data protection laws, including conducting audits and reviewing the organization's data protection policies and practices.

• Function as contact point for data subjects, supervisory authorities and other stakeholders on issues related to the organization's data protection practices.

• Coordinate the organization's response to privacy breaches and other privacy incidents.

• Maintaining up-to-dateness of privacy laws and best practices and advising the organization on how to adapt to these changes.

• Collaborate with data protection authorities.

What must a data protection officer be able to do?

The General Data Protection Regulation does not provide a list of specific qualifications for the role of Data Protection Officer. However, it does specify that a DPO must have "expert knowledge of data protection laws and practices." In addition, it is advisable to have a comprehensive understanding of the company's IT infrastructure, technology, and technical and corporate structure. The appointed person must have sufficient resources and independence to perform the job.

A data protection officer may not receive instructions regarding the performance of duties. In addition, he or she may not be dismissed or discriminated against by the employer because of the performance of the duties. However, this does not mean general protection against dismissal. In addition, a DPO must report directly to the highest level of management. A DPO is bound to secrecy and confidentiality in the performance of his or her duties.

Who can become a data protection officer?

Anyone in the company who meets the above criteria. It is possible to appoint an existing employee as data protection officer or, of course, to hire someone from outside the company. This can therefore be an employee or a self-employed person. When looking for the right person, it is important to note that this person can manage data protection and compliance internally, and in the event of non-compliance, report breaches to the relevant regulatory authorities.

Who needs a data protection officer?

With the entry into force of the GDPR on May 25, 2018, a data protection officer is mandatory under Article 37 for all companies that regularly collect or process personal data of EU citizens on a large scale.

This applies in particular to the following companies:

• Companies with more than 10 employees that regularly handle personal data.
• Companies that process special categories of personal data, such as health data or children's data.
• Public entities, regardless of the size or nature of their operations.
• Companies that regularly conduct monitoring activities, such as video surveillance or monitoring of online behavior

Smaller companies may also appoint a data protection officer if they deem it necessary. In addition, a data protection officer may also be appointed voluntarily if a company takes its data protection responsibilities particularly seriously.

In summary, the main tasks of a DPO in the EU are to ensure company compliance with data protection laws, to provide guidance on best data protection practices, and to serve as a contact point for data subjects and supervisory authorities on data protection issues.