Article 38
Position of the data protection officer

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 38 keyboard_arrow_down Hide the recitals of the Regulation related to article 38 keyboard_arrow_up

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Show the recitals of the Directive related to article 38 keyboard_arrow_down Hide the recitals of the Directive related to article 38 keyboard_arrow_up

(49) Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;

(54) Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;

The GDPR

Article 38 imposes on the controller or the processor a series of obligations to allow the latter to undertake the tasks provided for in Article 39.

So, the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. 

It is the responsibility of the controller or the processor to ensure the independence of the data protection officer in the performance of his or her tasks. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law (Article 38 (5)).

The final version of the Regulation states further that data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights (see Article 38 (4)).

Finally, the data protection officer may fulfil other tasks and duties, the controller and the processor being required to ensure that any such tasks and duties do not result in a conflict of interests.

The Directive

The Directive did not say much as to the functions of the data protection officer: according to article 18, his or her task was to ensure that processing operations do not affect the rights and freedoms of the data subjects, by ensuring, in an independent way,  the compliance of the processing with the national provisions transposing the Directive.

In particular, the data protection officer had to maintain records of the processing carried out by the controller, that had to contain information that were subject to notification to the competent national supervisory authority, in accordance with article 21 (2) of the Directive.

Potential issues

The data protection officer’s functions and status will have to be subject to special attention at the enterprises and by the controller. The independence of the data protection officer shall be guaranteed, whether he or she is designated or not. Internally, the possible sanctions in case of improper performance of the tasks entrusted by the controller must be reviewed in order to ensure compliance with the new rules.

Summary

European Union

European Union

Comité européen de la protection des données

Designation and Position of Data Protection Officers (16 January 2024) - (english)

In October 2020, the European Data Protection Board (EDPB) decided to set up a Coordinated Enforcement Framework (CEF) with a view to streamlining enforcement and cooperation among supervisory authorities, consistently with the EDPB 2021-2023 Strategy. A first CEF was conducted in 2021 on the Use of Cloud Services by Public Bodies. For the second CEF, the EDPB selected in September 2022 'the Designation and Position of Data Protection Officers' for its 2023 Coordinated Enforcement Action. Throughout 2023, 25 supervisory authorities (‘SAs’) across the EEA launched coordinated investigations into the role of Data Protection Officers (‘DPOs’). The CEF was implemented at national level in one or several of the following ways: (1) fact-finding exercise, (2) questionnaire to identify if a formal investigation is warranted, and/or (3) commencement of a formal enforcement investigation, or follow-up of ongoing formal investigations. Between November 2022 and February 2023, these supervisory authorities discussed the aims and the means of their actions in the context of the CEF. In this context, the SAs drafted a questionnaire in a neutral way so that it would be possible for either the controller/processor or the DPO to fill it in. While doing this, they ensured that it would be possible for SAs to adjust the questionnaire or to draft their own, based on (or inspired by) the commonly drafted questionnaire.

The present report aggregates the findings of all the supervisory authorities participating in the CEF. Particular attention is paid to challenges identified by supervisory authorities and/or respondents during the CEF action. These include issues such as insufficient resources allocated to DPOs, insufficient expert knowledge and training of DPOs and risks of conflicts of interests. This report provides, among other things, a list of recommendations that organisations, DPOs and/or SAs may take into account to address the challenges identified, without prejudice to the provisions of the GDPR/EUDPR and the powers of supervisory authorities

Link

Retour au sommaire

Article 29 Working Party

Guidelines on Data Protection Officers (‘DPOs’) - wp243rev.01 (5 April 2017)

(Endorsed by the EDPB)

The General Data Protection Regulation (‘GDPR’), due to come into effect on 25 May 2018, provides a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.

Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts.

The concept of DPO is not new. Although Directive 95/46/EC did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years.

Before the adoption of the GDPR, the WP29 argued that the DPO is a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become a competitive advantage for businesses. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating data protection impact assessments and carrying out or facilitating audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.

The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.

The GDPR recognises the DPO as a key player in the new data governance system and lays down conditions for his or her appointment, position and tasks. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States. The WP29 will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-92/09 ; C-93/09 (9 November 2010) - Volker und Markus Schecke and Eifert

1.      Articles 42(8b) and 44a of Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy, as amended by Council Regulation (EC) No 1437/2007 of 26 November 2007, and Commission Regulation (EC) No 259/2008 of 18 March 2008 laying down detailed rules for the application of Regulation No 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the European Agricultural Guarantee Fund (EAGF) and the European Agricultural Fund for Rural Development (EAFRD) are invalid in so far as, with regard to natural persons who are beneficiaries of EAGF and EAFRD aid, those provisions impose an obligation to publish personal data relating to each beneficiary without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof.

2.      The invalidity of the provisions of European Union law mentioned in paragraph 1 of this operative part does not allow any action to be brought to challenge the effects of the publication of the lists of beneficiaries of EAGF and EAFRD aid carried out by the national authorities on the basis of those provisions during the period prior to the date on which the present judgment is delivered.

3.      The second indent of Article 18(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not placing the personal data protection official under an obligation to keep the register provided for by that provision before an operation for the processing of personal data, such as that resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008, is carried out.

4.      Article 20 of Directive 95/46 must be interpreted as not imposing an obligation on the Member States to make the publication of information resulting from Articles 42(8b) and 44a of Regulation No 1290/2005, as amended by Regulation No 1437/2007, and from Regulation No 259/2008 subject to the prior checks for which that Article 20 provides.

Opinion of Advocate general 

Judgment of the Court

C534/20, (22 June 2022) Leistritz AG v. LH

The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation.

Opinion of Advocate general (fr)

Judgment of the Court

C-453/21 (9 February 2023) - X-FAB Dresden

1.      The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation.

2.      Article 38(6) of Regulation 2016/679 must be interpreted as meaning that a ‘conflict of interests’, as provided for in that provision, may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.

Judgment of the court

C-560/21 (9 february 2023) - KISA

L’article 38, paragraphe 3, deuxième phrase, du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), doit être interprété en ce sens qu’il ne s’oppose pas à une réglementation nationale prévoyant qu’un responsable du traitement ou un sous-traitant ne peut révoquer un délégué à la protection des données qui est membre de son personnel que pour un motif grave, même si la révocation n’est pas liée à l’exercice des missions de ce délégué, pour autant qu’une telle réglementation ne compromette pas la réalisation des objectifs de ce règlement.

Decision of the Court (Fr)

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 38

1.   The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

2.   The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

3.   The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

4.   Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.

5.   The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

6.   The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

1st proposal close

Art. 36

1.           The controller or the processor shall ensure that the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.

2.           The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.

3.           The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.

2nd proposal close

Art. 36

1. The controller or the processor sh all ensure that the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.

2. The controller or the processor shall support the data protection officer in performing the tasks referred to in Article 37 by providing (...) resources necessary to carry out these tasks as well as access to personal data and processing operations.

3. The controller or processor shall ensure that the data protection officer can act in an independent manner with respect to the performance of his or her tasks and does not receive any instructions regarding the exercise of these tasks. He or she shall not be penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

4. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests

.

 

Directive close

Art. 18

2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions:

- where, for categories of processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergoing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data are to be disclosed and the length of time the data are to be stored, and/or

- where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular:

- for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive

- for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2),

thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

Data protection officer

§ 5 DSG

(1) Without prejudice to other obligations of confidentiality, the data protection officer and the persons working for the data protection officer shall be bound by confidentiality when fulfilling their duties. This shall apply in particular in relation to the identity of data subjects who applied to the data protection officer, and to circumstances that allow identification of these persons, unless the data subject has expressly granted a release from confidentiality. The data protection officer and the persons working for the data protection officer may exclusively use information made available to fulfil their duties and shall be bound by confidentiality even after the end of their activities.

(2) If, during his or her activities, a data protection officer obtains knowledge of data in respect of which a person employed with a body subject to the supervision of the data protection officer has a statutory right to refuse to give evidence, the data protection officer and the persons working for the data protection officers shall also have such a right to the extent to which the person who has the right to refuse to give evidence exercised that right. The files and other documents of the data protection officer are subject to a prohibition of seizure and confiscation to the extent of the right of the data protection officer to refuse to give evidence.

(3) Public-sector data protection officers (instituted in legal form under public law, in particular also as an organ of a regional authority) are not bound by any instructions when exercising their duties. The highest governing bodies or officers have the right to obtain information on matters to be dealt with from a public-sector data protection officer. The data protection officer shall provide information only insofar as the independence of the data protection officer as described in Article 38 para. 3 of the General Data Protection Regulation is not impaired by doing so.

(4) Considering the type and scope of data processing activities and depending on the facilities of a federal ministry, one or several data protection officers shall be appointed in the sphere of responsibilities of each federal ministry. These data protection officers shall be employed by the relevant federal ministry or the relevant subordinate office or other entity.

(5) Public-sector data protection officers pursuant to para. 4 shall regularly exchange information, in particular with regard to ensuring uniform data protection standards.


Confidentiality of data

§ 6

(1) The controller, the processor and their employees, i.e. employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data).

(2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor.

[...]

Old law close

No provison in Austria before May 25, 2018.

close