We at Seventh Signal (CY) Ltd. are a team of well trained and constantly updated data protection professionals, coming from a mixed IT, healthcare, financial and legal background.

Most frequently asked questions about Data Protection Officers

As outlined in GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:

  • Educating the company and employees on important compliance requirements
  • Conducting audits to ensure compliance and address potential issues proactively
  • Serving as the point of contact between the company and GDPR Supervisory Authorities
  • Monitoring performance and providing advice on the impact of data protection efforts
  • Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request
  • Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information

The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed. In some cases several organisations can appoint a single DPO between them.

There must not be a conflict of interest between the duties of the individual as a DPO and her other responsibilities if any. To avoid conflict, it is recommended that:

  • a DPO should not also be a controller of processing activities (for example if she is head of Human resources)
  • the DPO should not be an employee on a short or fixed-term contract
  • a DPO should not report to a direct superior (rather than top management)
  • a DPO should have responsibility for managing her own budget.

The Art. 29 Working Party stated here that individuals with a senior management position, such as chief operating, chief financial, chief medical officer, head of the marketing department, head of Human Resources or head of IT departments could have a conflict of interest and are therefore not suitable candidates for the DPO position.

Your company/organisation needs to appoint a DPO, whether it’s a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of individuals includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

Public administrations always have an obligation to appoint a DPO (except for courts acting in their judicial capacity).

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.

Examples taken from the EDPB:

DPO mandatory
A DPO is mandatory for example when your company/organisation is:

  • a hospital processing large sets of sensitive data;
  • a security company responsible for monitoring shopping centres and public spaces;
  • a small head-hunting company that profiles individuals.

DPO not mandatory
A DPO isn’t mandatory if:

  • you’re a local community doctor and you process personal data of your patients
  • you have a small law firm and you process personal data of your clients

The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The regulation also specifies that the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for what is processed by data controllers and data processors.

DPOs may be a controller or processor’s staff member, and related organizations may utilize the same individual to oversee data protection collectively, as long as the DPO is easily accessible to anyone at those related organizations. It is required that the DPO’s information is published publicly and provided to all regulatory oversight agencies.

Data Protection Officers must not have a conflict of interest, meaning that the DPO must not have any current duties or responsibilities that are in conflict with their monitoring responsibilities. For example, a legal counsel who could represent the company in a legal proceeding would be considered to have a conflict of interest, and therefore would not be qualified to serve as the DPO. Companies that violate this requirement may be subject to fines up to EU$10 million or two percent of the company’s worldwide turnover, whichever is greater.

The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation’s data protection obligations.

You must ensure that:

  • the DPO is involved, closely and in a timely manner, in all data protection matters;
  • the DPO reports to the highest management level of your organisation, ie board level;
  • the DPO operates independently and is not dismissed or penalised for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO appropriate access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.