The proposed function of the Data Protection Officer
The Functions of the DPO within the Organisation
Based on various indications from the Commission about the role of the DPO, we provide an overview below. If you have not already done so, it may well be worth starting to think about candidates within your organisation who might take on this role.
Information and raising awareness function
The DPO will be responsible for informing staff and members of their rights and, on the other hand, informing the Data Controller of its obligations and responsibilities.
Raising awareness can take the form of staff information notes, training sessions, setting up of a web site, privacy statements or simply being the ‘go to’ person within the organisation for DP-related questions.
The DPO must ensure that the Regulation is respected by the Data Controller, its staff, and any third party engaged to process personal data on its behalf.
The DPO advises the Data Controller on how best to fulfil their obligations under the legislation. This may involve making recommendations for the practical improvement of data protection structures within the organisation, as well as advising it on matters concerning the application or deployment of data protection procedures, such as data security, records management, disclosure of data outside the organisation, or even destruction of obsolete records.
The DPO may also be consulted by the Data Controller or by individual staff on any matter concerning the interpretation or application of the Regulation.
As mentioned above, all data processing operations, as well as any proposed changes to those activities, must be notified to the DPO.
The DPO should organise a register or log of processing operations which are regularly conducted by the organisation. This register can be made accessible to any person working within the organisation.
Once the DPO has received the notification she/he must identify any apparent risks that this processing change might pose for the personal data held by the organisation. These risks must be taken into account when designing or implementing the proposed change.
In case of doubt as to the need for such risk management solutions, the DPO may consult the Office of the DP Commissioner, or with a specialist third party.
The DPO has the task of responding to requests from the Office of the DP Commissioner (ODPC) and, within the sphere of their competence, cooperate and liaise with the ODPC on his/her own initiative. This task emphasises the fact that the DPO facilitates cooperation between the ODPC and the organisation, notably in the context of investigations, complaint handling or confirmation of interpretation of the legislation.
The DPO should not only have inside knowledge of their own organisation, but should also be likely to know who the best person to contact within the organisation is, for clarifying or resolving any issue.
The DPO may also be aware, and duly inform the ODPC, of recent developments or planned changes likely to impact the protection or security of personal data.
Monitoring of compliance
The DPO is to ensure the application of the Regulation within their organisation. The DPO may, on his or her own initiative or at the request of the Data Controller or any individual, investigate matters and occurrences directly relating to his/her tasks and report back to the person who commissioned the investigation or to the Data Controller.
This function is supported by the fact that the DPO should have appropriate access at all times to the personal data held by the organisation, which forms the subject matter of the organisation’s processing operations, and to all offices, data-processing installations and data carriers (including third-party service providers).
Handling queries or complaints:
Although not explicitly mentioned in the legislation, this function can be deduced from the fact that the DPO is granted with investigation functions:
"Furthermore he or she may, on his own initiative or at the request of the organisation which appointed him or her, the Data Controller, investigate matters and occurrences directly relating to his tasks and which come to his or her notice, and report back to the person who commissioned the investigation or to the controller".
Furthermore, the legislation provides that "No one shall suffer prejudice on account of a matter brought to the attention of the competent Data Protection Officer" – effectively, whistle-blower protection.
The ODPC, as the principal complaint-handling instance in the area of data protection, encourages the investigation and handling of complaints by DPOs. The fact that the DPO acts from within the organisation and is close to the data subjects places him/her in an ideal situation to receive and handle queries or complaints at a local level.
Supporting Enforcement: Despite having the competence to monitor compliance with the legislation and to handle complaints, the DPO has limited powers of enforcement: the DPO has the option to bring to the attention, first of the Data Controller, and, if that fails, of the ODPC, any failure to comply with the obligations under the legislation with a view to possible investigation or formal Notice.