GDPR regulates the scope of involvement of data protection officer (DPO)
Articles 38 and 39 of General Data Protection Regulation (GDPR) provides the legal guidelines for the cooperation between controller and DPO in any company. It is fundamental to ensure:
2. Freedom from instructions
3. Reporting right
4. Counselling for those affected
The DPO must be properly involved at an early stage in all matters of protecting personal data. The controller is therefore obliged to independently notify the DPO at an early stage to ensure DPO’s assessment can still be taken into account when planning a processing operation.
The DPO shall not be instructed for executing his tasks and shall be entitled to all the resources necessary to acquire and maintain the relevant expertise. Any influence by the DPO on any audit/advisory results is strongly prohibited.
DPO reports directly to the highest management level. Subordinate bodies may not be interposed in order to avoid any influence here.
Active counselling of data subjects is also part of DPO tasks. The controller has to publish DPO’s contact details (Art. 37(7) GDPR).
Article 83 (4) (a) of the GDPR regulates the fines that can be imposed in the event of violations of the provisions of Articles 38 and 39 of the GDPR by the controller:
This can be up to 10 million euros or 2 % of annual revenue.
In 2021, the Luxembourg data protection authority (CNPD) imposed a fine of €18.700 – combined with an injunction – on a Luxembourg private company because the DPO had not been involved in all issues of personal data protection and thus all four essential obligations had been breached:
- There were no formalised processes or control plans: the DPO was only involved in internal meetings or committees on an “ad hoc” basis. (Breach of Article 38 (1) GDPR)
- There was no clear monitoring plan/procedure in place to ensure that the DPO is able to properly monitor the compliance of the company’s GDPR data processing practices. Furthermore, the DPO had not received sufficient training/education to properly and independently advise and inform the controller. (Infringement Article 39(1b) GDPR)
- The monthly reports to the highest management level also had to be coordinated by the DPO with the Administrative and Financial Directorbeforehand. In the opinion of the data protection authority, this did not meet the data protection requirements for the autonomy of the DPO (violation of Article 38(3) of the GDPR).
This clearly shows that data protection supervisory authorities check the involvement of the data protection officer and impose fines if necessary. Appointing an external DPO, a company is always in a secure position.