UK GDPR: Data Protection Officer (Articles 37-39)
Data Protection Officer Requirements [Arts 37-39]
Rule: Certain organisations must designate a Data Protection Officer (DPO).
When is a DPO required? [Art 37(1)]
| Situation | Required? | Citation |
|---|---|---|
| Public authority or body | Yes (except courts) | Art 37(1)(a) |
| Core activities require regular, systematic, large-scale monitoring | Yes | Art 37(1)(b) |
| Core activities involve large-scale special category data | Yes | Art 37(1)(c) |
| Core activities involve large-scale criminal data | Yes | Art 37(1)(c) |
| Voluntary appointment | Allowed | Art 37(4) |
DPO requirements [Art 37]
| Requirement | Details | Citation |
|---|---|---|
| Expert knowledge | Must have expert knowledge of data protection law and practices | Art 37(5) |
| Can be employee or external | Staff member or service contract | Art 37(6) |
| Contact details published | Must publish DPO contact details | Art 37(7) |
| Contact details to ICO | Must communicate details to ICO | Art 37(7) |
| Group of undertakings | Single DPO can serve group if accessible | Art 37(2) |
Position of the DPO [Art 38]
| Requirement | Details | Citation |
|---|---|---|
| Proper involvement | Involve DPO in all data protection issues | Art 38(1) |
| Resources | Provide resources to carry out tasks | Art 38(2) |
| Independence | No instructions on how to perform tasks | Art 38(3) |
| No dismissal for performing duties | Protected from dismissal/penalty | Art 38(3) |
| Reports to highest management | Direct reporting line | Art 38(3) |
| Confidentiality | Bound by confidentiality | Art 38(5) |
| No conflict of interest | Can have other tasks if no conflict | Art 38(6) |
Tasks of the DPO [Art 39]
| Task | Description | Citation |
|---|---|---|
| Inform and advise | Controller, processor and employees | Art 39(1)(a) |
| Monitor compliance | With GDPR and other data protection law | Art 39(1)(b) |
| Advise on DPIAs | And monitor performance | Art 39(1)(c) |
| Cooperate with ICO | Point of contact for supervisory authority | Art 39(1)(d) |
| Contact point for data subjects | On issues relating to processing | Art 38(4) |
Source Text
Article 37(1): The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Article 38(3): The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Article 39(1): The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data…
Citation
Article 37, UK GDPR | Article 38 | Article 39