The WP29 has adopted the guidelines for Data Protection Officers (DPO).
The purpose
The purpose of this document is:
- assisting and assisting data controllers and subcontractors in setting up the Data Protection Officer function;
- to assist data protection officers in carrying out their mission.
Appoint a DPO
It recalled the cases in which the designation of a DPO is mandatory. It clarified all the conditions for mandatory appointment of the DPO.
Nevertheless, it stressed that apart from those situations where the appointment of a DPO is mandatory, it may be appropriate to designate a DPO voluntarily. In this case, the same obligations must be applied.
It advised processors and contractors to formalize in writing the reasoning they followed in concluding whether or not to designate a DPO in order to prove that all the important elements were taken into consideration.
Fonctions et missions du DPD
It also clarified the scope of the DPO function, as provided by Article 38 of the GDPR. In particular, it clarified the implementation of the obligation to involve the DPO in all matters relating to the protection of personal data, the condition of independence and absence of conflict.
It also listed the tasks of the DPO.