Insights Article 29 Data Protection Working Party publishes Guidelines on Data Protection Officers

Contact

The Working Party explains that the General Data Protection Regulation, due to come into effect on 25 May 2018, will provide a “modernised, accountability-based compliance framework for data protection in Europe”. Data Protection Officers (DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that, as a core activity, monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

The Guidelines state that even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. In fact, the Working Party is actively encouraging this.

The Guidelines explain that DPOs are not personally responsible in the case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)).

The Guidelines advise, however, that the controller or the processor should enable the effective performance of the DPO’s tasks. Appointing a DPO is a first step, the Guidelines state, but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively. For a link to the Guidelines, click here.

Expertise