Data Protection Officer cannot substitute the Controller

Podstawa prawna przetwarzania danych przy wysyłce newslettera

Table of Contents:

  1. Inspection of DPO’s Activities – 27 Questions Checklist
  2. Irregularities in the Functioning of DPO
  3. What Are the Tasks of a Data Protection Officer?

In certain situations, appointing a Data Protection Officer (DPO) is the duty of the Controller. Sometimes, however, the Controller decides to appoint a DPO voluntarily as professional support and assistance in complying with GDPR regulations. However, it turns out that sometimes the relationship between the Controller and the DPO does not proceed correctly, as noted by the President of the Personal Data Protection Office (PUODO).

Inspection of DPO’s Activities – 27 Questions Checklist

To check compliance with the regulations regarding the DPO’s activities, PUODO has published a list of 27 questions addressed to both private and public sector administrators. The list serves as a control tool for the office to verify the correctness of the DPO’s functioning in the organization. On the other hand, the list can also serve as guidelines for administrators, used for internal audits to ensure compliance with the law in this area. You can find the list here.

Irregularities in the Functioning of DPO

As a result of inspections conducted using the aforementioned list, PUODO identified the following irregularities regarding the functioning of DPOs:

  • burdening the DPO with the duties of the controller, e.g., maintaining the register of processing activities,
  • excessive conclusion of data processing agreements between the controller and the DPO,
  • granting the DPO the authority to represent the controller in matters concerning data protection,
  • combining “GDPR implementation” and “DPO outsourcing” services by external companies.

The main problem related to the DPO’s activities was the performance of tasks within the so-called conflict of interest and substituting the controller in fulfilling its obligations. The controller appointed the DPO and delegated most of the controller’s duties to them, which is an unacceptable practice.

Nieprawidłowości w funkcjonowaniu IOD

What Are the Tasks of a Data Protection Officer?

The DPO is responsible for advising the controller and instructing them about their obligations, providing necessary recommendations and guidelines. Among their duties is also monitoring compliance with GDPR in the organization, particularly through audits and conducting training sessions. The DPO serves as the point of contact for the supervisory authority, with whom they are tasked to cooperate. We have written in detail about what the DPO does and when they should be appointed here. Certainly, the DPO should not be appointed solely to delegate the controller’s obligations to them and ensure compliance with these obligations.