{"id":13450,"date":"2023-10-19T10:53:53","date_gmt":"2023-10-19T08:53:53","guid":{"rendered":"https:\/\/www.dp-institute.eu\/?p=13450"},"modified":"2023-11-15T11:38:10","modified_gmt":"2023-11-15T10:38:10","slug":"role-dpo-supervisor-advisor","status":"publish","type":"post","link":"https:\/\/www.dp-institute.eu\/en\/role-dpo-supervisor-advisor\/","title":{"rendered":"The DPO’s dual role: supervisor or adviser?"},"content":{"rendered":"
The DPO’s dual role: supervisor or adviser?<\/p>\n
DPI could of course not be missing from the recently held Dutch-language PrivCon2023 privacy conference. A recurring theme was the role of the Data Protection Officer or DPO, and in particular an apparent difference in interpretation between Dutch and Belgian speakers and participants on how that role should be filled.<\/p>\n
The DPO, also known as the data protection officer, classically oversees everything to do with the processing of personal data within an organisation and must ensure compliance with the rules contained in the General Data Protection Regulation (GDPR). Between the two neighbouring countries exists unanimity about the interpretation of the word “oversee”.<\/p>\n
In the Netherlands the DPO is seen as an internal supervisor, a watchdog, who needs to be as independent as possible. This means they should not be involved in operational issues such as the performance of DPIAs, should not give awareness sessions and should only signal risks from a distance. One of the Dutch speakers made the comparison with the known\u00a0Three Lines of Defense model<\/a>: here the DPO is in fact a Fourth Line with a bird\u2019s eye view.<\/p>\n This contrasts with the Belgian approach. In Belgium, the DPO is primarily a consultant and adviser, and only after a (possible) supervisor. The emphasis is on being known in the organisation, creating awareness, advising and creating as much ownership as possible to ensure that the GDPR rules are correctly applied in all layers of the organisation.<\/p>\n With such opposing views, surely one must be right and the other wrong, or not? Maybe this is a good time to look at the law itself, particularly articles 39.1.a. and b.:<\/p>\n The data protection officer shall have at least the following tasks: <\/em><\/p>\n The GDPR is, surprise surprise, open for interpretation. \u201cInform and advise of their obligations\u201d can be read as provide limited advice relating to the obligations as specified in the law, an internal APD\/VTC\/AP. However, inform and advise can also be seen in a more hands-on way.<\/p>\n The same applies to article 39.1.b: is the DPO now also (partly) responsible for this awareness and training, or must they only monitor the performance thereof?<\/p>\n Recital 97 discusses the task of the DPO to assist<\/strong> \u201cthe controller or the processor to monitor internal compliance with this Regulation\u201d. The word \u2018assist\u2019 insinuates that the DPO does not perform the supervision itself, but at the same time performing the supervision is also a form of assisting.<\/p>\n2.What does the General Data Protection Regulation (GDPR) say?<\/strong><\/h5>\n
\n
3. What does the European Data Protection Board (EDPB) say? <\/strong><\/h5>\n