Basics: Tasks of the data protection officer

The data protection officer (DPO) is a natural person who is responsible for compliance with data protection within an organization. The DPO represents a control distance and has a duty to advise the person responsible. Furthermore, the data protection officer is not subject to instructions and may not be restricted in order to fulfill his tasks. The data protection officer is not authorized to issue instructions, but may only make recommendations and report to the top management level.

The data protection officer can be appointed internally, i.e. within an organization, as well as externally. If the data protection officer is appointed internally, it must be ensured that there is no conflict of interest. It should therefore e.g. no IT manager, managing director, head of human resources, head of legal, etc. will take over the position of data protection officer. Furthermore, it must be ensured that the appointed data protection officer has the necessary specialist knowledge of data protection law and data protection practice for the performance of his tasks.

The tasks of the data protection officer are derived from the General Data Protection Regulation according to Art. 39 GDPR.

The data processing programs that are used in the company must be checked by the data protection officer to determine whether they meet the requirements of the General Data Protection Regulation or whether further measures have to be taken to ensure data protection-compliant processing.

The task of the data protection officer also includes training the controller’s employees in the area of data protection law. This can be done in various ways, such as be done through eLearning.

The data protection officer is obliged to properly process inquiries from employees and customers of the person responsible and then to provide information.

The personal data must be protected during processing by means of technical and organizational measures. The task of the data protection officer is to advise and support those responsible for appropriate measures.

When commissioning new service providers, the data protection officer must be informed in advance. The task of the data protection officer is to check the service provider to determine whether he is processing the personal data in compliance with data protection regulations. This is done by examining the agreement on order processing and checking the technical and organizational measures taken by the service provider.

The person responsible is responsible for safeguarding the rights of the data subject (e.g. information, correction and deletion request). The task of the data protection officer is to provide the person responsible with adequate support and to provide him with information on data protection issues.

The controller must keep a record of processing activities. This describes the process of processing the personal data. The data protection officer must support the person responsible here. Furthermore, it is the duty of the data protection officer to monitor all processes in which personal data is processed and to check whether these have already been documented.

If processing involves a particularly high risk for the rights and freedoms of the natural person (e.g. extensive video surveillance), a data protection impact assessment must be carried out in accordance with Art. 35 GDPR. The task of the data protection officer is to support the person responsible in carrying out a data protection impact assessment in accordance with Art. 35 GDPR.

If the data breach poses a particularly high risk for the rights and freedoms of the data subject, this must be reported to the competent supervisory authority within 72 hours of the data breach becoming known. However, the data protection officer must be informed of every data breach. Its task is then to assess whether this is notifiable or not.

According to Art. 39 GDPR, the data protection officer is obliged to inform the person responsible about his obligations under data protection law and to monitor compliance with the GDPR in the company. This obligation is met through an activity report.

Did you know that we not only provide external data protection officers and advise you on all aspects of the subject, but also offer eLearning? You don’t even have to be a consulting customer.
We’re here to help. Please call us on 08505 919 27-0 or fill out our contact form.

 

[1] It always refers to both male and female persons. For the sake of easier readability we only use the masculine form in this text.