Although we often start to hear the term Data Protection Officer (DPO) with the General Data Protection Regulation (GDPR), which came into force on May 25, 2018, in the European Union, this term actually came into our lives via the European Parliament and the European Council Directive numbered 95/46/EC3 with some differences. Who is DPO ?
Despite Directive 95/46/EC3 does not require any organization to appoint a DPO, the practice of designating a DPO has been seen in some Member States over the years.
Prior to the adoption of GDPR, WP29 argued that the DPO is the cornerstone of accountability, that appointing a DPO can streamline the compliance process and also become a competitive advantage for businesses.
Who is a DPO ?
The main duty of a Data Protection Officer (DPO) is to ensure that the organization processes the data subjects’ personal data in accordance with the applicable data protection legislation.
One of the main responsibilities of DPO is to monitor a company’s compliance. They inform and advise controllers and employees about their data protection obligations. They advise on Data Protection Impact Assessments (DPIA) as well as monitor the performance of the assessment as required by Article 35 of the GDPR.
The DPO acts as a point of contact for the relevant persons and the supervisory authority and, where necessary, as an advisory authority, on matters related to processing activities, including the matters regulated in Article 36 of the GDPR. They cooperate and communicate with the competent authorities.
In addition to these, the DPO has the duty to raise awareness of the employees involved in the processing activities, train them, and monitor the data controller’s compliance and the data processor with the policies for the protection of personal data.
In performing all these duties, the DPO must take into account the nature, scope, context, and objectives of the processing activities and the risks associated with those activities.
Rights of the Data Protection Officer
DPO’s have some rights apart from their responsibilities. In order for DPO’s to fulfill their duties, company resources must be provided to them.
According to Article 38 of the GDPR, the controller and processor are obliged to ensure that the DPO is involved in all matters relating to the protection of personal data in a timely and appropriate manner. It should be ensured that the DPO has access to personal data and processing activities.
DPO’s must be independent. It is not possible for the DPO to be dismissed or penalized by the data controller and the data processor due to the performance of its tasks. In addition, the DPO is obliged to report directly to the executives of the data controller and is subject to the confidentiality obligation regarding the performance of its duties.
DPO’s are not personally liable for non-compliance with the GDPR. The GDPR clearly states that the data controller or processor must ensure and be able to demonstrate that the data processing activities are carried out in accordance with the applicable provisions. As it can be understood, compliance with data protection legislation is the responsibility of the data controller or data processor.
- Sharma, S. (2020). Data privacy and Gdpr handbook. Wiley.
- Voigt, P. & Bussche, A. (2018). Eu General Data Protection Regulation (Gdpr): a practical guide. Springer International Pu.