Data protection officers

The data protection officer must be given the support required by data protection legislation. The organisation must cooperate with the data protection officer in building an appropriately comprehensive and independent role for the officer.

The data protection officer must be provided with the resources – time, tools and competence – required for the appropriate performance of their duties. The data protection officer must have the opportunity to update their competence through training. The EU's new digital and AI legislation should be taken into account in the training if relevant for the data protection officer's duties.

The data protection officer should have a deputy, because personal data breach notifications and fulfilling the rights of the data subject may not be delayed due to the data protection officer's absence.

The data protection officer or his or her team shall be involved in the handling of all questions related to data protection at the earliest stage possible.

The data protection officer must be given all relevant information without delay so that they can provide appropriate advice. The data protection officer should always be present when decisions affecting data protection are made.

The data protection officer's duties and obligations should be defined clearly and in writing, and the organisation's personnel must be informed of them.

The data protection officer must have the possibility to report directly to senior management. The data protection officer shall be regularly invited to high- and mid-level meetings.

The opinion of the data protection officer must always be given the appropriate weight. In case of a difference of opinion, the grounds on which the advice of the data protection officer was not followed should be documented.

The data protection officer must be consulted as soon as possible if a personal data breach or other issue concerning data protection is detected.

Data protection officers are not personally responsible for infringements of the GDPR. Compliance with data protection regulations is the responsibility of the controller or processor.

The data protection officer must be independent and may not have conflicts of interest in their duties as data protection officer. As every organisation is unique, such conflicts of interest must be examined on a case-by-case basis. In other words, the data protection officer cannot hold a position in which they are required to determine the purposes and means of processing personal data, as that is the controller's duty.

The data protection officer must not be instructed on how to perform their duties. The data protection officer may not be dismissed or punished for the performance of data protection duties.