With the implementation of the General Data Protection Regulation (GDPR), a new figure emerged: the Data Protection Officer (DPO). Although the GDPR provides a list of the DPO’s tasks and guidelines regarding their position within the organization, the Data Protection Authority notes that the DPO’s role is often misunderstood or incorrectly filled.

This may be due to the fact that the DPO’s role is complex and sometimes ambiguous: the DPO is appointed by the data controller (or processor) while being obligated to provide independent advice without internal or external pressure.

The GBA has identified the role of the DPO as one of its priorities for the year 2023.

Controllers and processors would do well to carefully choose their Data Protection Officer (DPO).

Special attention is given to the status of the DPO within an organization.

It is essential for a DPO to perform their duties independently. The DPO should not receive instructions on how to carry out their tasks, report directly to the highest level of management, and there should be no conflict of interest between the DPO’s tasks and any other duties or functions they may have.

While the GDPR allows the DPO to perform other tasks, these tasks should not conflict with their primary responsibilities. This means that the DPO’s role cannot be combined with decision-making authority regarding the processing of personal data.

The judiciary has affirmed that a managerial role is excluded. The DPO should not advise on a specific processing if they have previously determined the purpose and means of that processing. In such cases, the DPO must abstain from performing that task or set aside the DPO function.

The GDPR sets high standards for the role of the DPO within a company. The Inspection Service of the GBA will regularly investigate the position of the DPO in organizations, ensuring they have the necessary resources to perform their duties and sufficient independence from management.


The Role of the DPO as a Priority of the GBA in 2023

National and European supervisory authorities consider the DPO as the ultimate ally for GDPR compliance in the market. Their aim is to further support this role as an independent intermediary between the regulator and business units and to scrutinize the fulfillment of the DPO’s role. The GBA will do this through preventive actions and ongoing control.

Regarding awareness, the GBA seeks to emphasize the importance of the DPO’s role in handling requests from data subjects and reporting data breaches. Additionally, the GBA aims to create more awareness of the essential advisory role of the DPO in conducting Data Protection Impact Assessments (DPIA).

The GBA will further support the role of the DPO in terms of control. It is often observed that the DPO is insufficiently supported, not involved, or their advice is not (sufficiently) followed. Frequently, the DPO does not meet the requirements imposed by the GDPR for various reasons.


Need for an Independent and Reliable DPO?

If the GBA finds, during inspections, that the DPO role is misapplied, sometimes due to a complete lack of independence, the company may be exposed to very high fines. Given the priority of the GBA, it becomes crucial for companies not to underestimate the role of the DPO or handle the appointment of a DPO lightly.

The appointment of an external DPO addresses the concerns mentioned above.

External guidance from a privacy expert, whether or not a DPO, can also support many companies and their DPOs in implementing a correct data protection policy.

For all your questions regarding the appointment of a DPO and the fulfillment of DPO tasks, you can turn to us.

At DGDM, we have certified DPOs who serve as external DPOs for various clients and are consulted daily by other DPOs for assistance.