Article 38 of GDPR: Position of The Data Protection Officer
Article 38 of GDPR provides organizations with the parameters to observe in its relationship with the data protection officer.
Involving the DPO relating to the protection of personal data (Article 38(1) GDPR)
The role of the data protection officer is to help organizations protect personal data and comply with GDPR.
As such, Article 38(1) requires that organizations involve their data protection officer with respect to all issues related to the protection of personal data.
Organizations to support the data protection officer (Article 38(2) GDPR)
Data controllers and data processors are required to:
- Support the DPO as it performs its duties
- Provide the DPO with sufficient resources to enable it to perform its tasks
- Provide the DPO with access to personal data and processing operations
- Help the DPO maintain his or her expert knowledge
Protection and independence of the DPO (Article 38(3) GDPR)
GDPR requires that the data protection officer remains as independent as possible in carrying out its duties.
As a result, organizations must:
- Ensure the DPO is independent and does not receive instructions on how to do his or her job
- Is not dismissed or suffers consequences for carrying out his or her functions
- The DPO must report to the highest level of management
DPO as the point of contact for data subjects (Article 38(4) GDPR)
As it relates to data subjects, the data protection officer will act as the point of contact when individuals wish to exercise their rights under GDPR and with respect to any issues related to the processing of their personal data.
Duty of confidentiality (Article 38(5) GDPR)
It goes without saying that the data protection officer must have a duty of confidentiality concerning the performance of his or her functions.
Even if the duty of confidentiality was not specifically outlined in an employment contract or service agreement, GDPR imposes that duty on the DPO.
DPO to handle other tasks (Article 38(6) GDPR)
A data protection officer is authorized to handle other functions within an organization.
However, when carrying out other tasks or functions, the DPO must not be put in a situation where there may be a conflict of interest impacting his or her independence or ability to properly execute the DPO functions.
Recitals applicable to Article 38 of GDPR
Relevant Recitals: 97
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 38 or relevant recitals
GDPR Text: Article 38 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)