Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 4.2. Role of the DPO in a data protection impact assessment
According to Article 35 (1), it is the task of the controller, not of the DPO, to carry out, when necessary, a data protection impact assessment (‘DPIA’). However, the DPO can play a very important and useful role in assisting the controller. Following the principle of data protection by design, Article 35 (2) specifically requires that the controller ‘shall seek advice’ of the DPO when carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to ‘provide advice where requested as regards the [DPIA] and monitor its performance pursuant to Article 35 ’.
The WP29 recommends that the controller should seek the advice of the DPO, on the following issues, amongst others:
-
whether or not to carry out a DPIA
-
what methodology to follow when carrying out a DPIA
-
whether to carry out the DPIA in-house or whether to outsource it
-
what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
-
whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR
If the controller disagrees with the advice provided by the DPO, the DPIA documentation should specifically justify in writing why the advice hasnot been taken into account.
The WP29 further recommends that the controller clearly outline, for example in the DPO’s contract, but also in information provided to employees, management (and other stakeholders, where relevant), the precise tasks of the DPO and their scope,in particular with respect to carrying out the DPIA.
