The DPO’s dual role: supervisor or adviser?
DPI could of course not be missing from the recently held Dutch-language PrivCon2023 privacy conference. A recurring theme was the role of the Data Protection Officer or DPO, and in particular an apparent difference in interpretation between Dutch and Belgian speakers and participants on how that role should be filled.
1. Is the Data Protection Officer (DPO) a supervisor or adviser?
The DPO, also known as the data protection officer, classically oversees everything to do with the processing of personal data within an organisation and must ensure compliance with the rules contained in the General Data Protection Regulation (GDPR). Between the two neighbouring countries exists unanimity about the interpretation of the word “oversee”.
In the Netherlands the DPO is seen as an internal supervisor, a watchdog, who needs to be as independent as possible. This means they should not be involved in operational issues such as the performance of DPIAs, should not give awareness sessions and should only signal risks from a distance. One of the Dutch speakers made the comparison with the known Three Lines of Defense model: here the DPO is in fact a Fourth Line with a bird’s eye view.
This contrasts with the Belgian approach. In Belgium, the DPO is primarily a consultant and adviser, and only after a (possible) supervisor. The emphasis is on being known in the organisation, creating awareness, advising and creating as much ownership as possible to ensure that the GDPR rules are correctly applied in all layers of the organisation.
2.What does the General Data Protection Regulation (GDPR) say?
With such opposing views, surely one must be right and the other wrong, or not? Maybe this is a good time to look at the law itself, particularly articles 39.1.a. and b.:
The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
The GDPR is, surprise surprise, open for interpretation. “Inform and advise of their obligations” can be read as provide limited advice relating to the obligations as specified in the law, an internal APD/VTC/AP. However, inform and advise can also be seen in a more hands-on way.
The same applies to article 39.1.b: is the DPO now also (partly) responsible for this awareness and training, or must they only monitor the performance thereof?
Recital 97 discusses the task of the DPO to assist “the controller or the processor to monitor internal compliance with this Regulation”. The word ‘assist’ insinuates that the DPO does not perform the supervision itself, but at the same time performing the supervision is also a form of assisting.
3. What does the European Data Protection Board (EDPB) say?
If we are looking for clarity, we can of course look at the EDPB’s guidelines. Although guideline WP243 on DPOs was written by the predecessor of the EDPB, Working Party 29, it was still subsequently ratified by the EDPB. Section 4.1 contains explicit references to informing and advising, without specifying that it would only concern the obligations, and even specifically lists “issue recommendations”.
Other references throughout the guideline also show a level of ambiguity: for instance, in principle the record should be maintained by the controller, but the DPO can also be assigned the task of maintaining this record but then under the responsibility of the controller. The explanation on the role of the DPO with respect to a DPIA follows the same pattern: it is the task of the controller and not the DPO to carry out a DPIA (Data Protection Impact Assessment), but the DPO does have to help. The ensuing list gives the DPO the space to be involved in every aspect of the DPIA, including methodology, outsourcing and safeguards.
4. Conclusion: it depends…
In short, no matter which role you prefer: you will find plenty of leads in the available information to substantiate your chosen role which means it is not a matter of right or wrong. Perhaps we should take a more common sense, pragmatic view, terms that the WP29 itself used in its guideline.
What works best for our organisation? Where are the greatest risks? The maturity of an organisation also plays a role in this. The choice for a role as a mere supervisor, in an organisation that is far from ready for it, also involves risks. On the other hand, an organisation that already has a Chief Privacy Officer, with a privacy team of 10 people, will benefit a lot more from a DPO who mainly fulfils the role of supervisor.
Either way, the choices made should be well recorded. Every DPO should have an approved job description, which provides clarity on the fulfilment of duties and can also be submitted to data protection authorities when necessary. This gives the controller and the DPO more certainty and clarity.