DPO series of articles, final part: Tasks of the Data Protection Officer

February 28, 2024

DPO cikksorozat, utolsó rész: Az adatvédelmi tisztviselő feladatai

In this article, we would like to describe the tasks of the Data Protection Officer or DPO under the GDPR and practical issues related to them. Furthermore, we will briefly discuss the legal relationships that are not regulated by the GDPR but may occur in the course of everyday work within the scope of the DPO’s activities i.e. in the specific tasks of the DPO.

The general tasks of the Data Protection Officer

The general tasks of the DPO are set out in Article 39 of the GDPR, which is described as follows:

The primary task of the Data Protection Officer is to assess the activities of the data controller or data processor, in the framework of which the Data Protection Officer becomes acquainted with the data management structure of the data controller or processor the DPO is designated by, mapping both internal and external processes thereof.

The following organisational functions constitute a separate group of the general tasks of the DPO:

  1. Maintaining records of data processing activities: while the data controller or the data processor is responsible for maintaining records of data processing activities under Article 30 of the GDPR, in practice it is the responsibility of the DPO to coordinate the related activities.
  2. Monitoring of data processing operations: whereby the consistency of personal data and data processing operations kept on records are to be examined in respect of the the principles of Article 5 of the GDPR, as necessary.
  3. Summary of the risks related to the data processing activities: in this area, the DPO “(…) performs its tasks having regard to the nature, scope, context and purposes of the processing”, and should therefore identify the activities that constitute a risk, including taking into account the risks of a possible personal data breach or of a specific event to the rights and freedoms of data subjects.
  4. Carrying out a data protection impact assessment for high-risk processing: after identifying the possible risks, the DPO must determine if a data protection impact assessment shall be carried out; the methods to be followed when carrying out a data protection impact assessment; whether the data protection impact assessment shall be carried out internally or outsourced; what safeguards (including technical and organizational measures) must be applied to mitigate risks to the rights and interests of data subjects; if the data protection impact assessment has been properly carried out and whether its conclusions (regarding the continuation of data processing and the safeguards to be applied) comply with the GDPR.

The DPO’s monitoring and compliance functions include the following responsibilities:

  1. Regular repetition of processes in the category of organizational functions
  2. Handling data breaches: the data controller or processor must record all personal data breaches that do not pose a risk to the rights and freedoms of data subjects. However, in case of risk, they must notify the supervisory authority, while in case of high risk, they must also notify the data subjects themselves; the DPO’s obligation to cooperate in all the above activities may be derived from the provisions of the GDPR.
  3. Conduct investigations (including handling internal complaints): On the initiative of data subjects, data controllers, data processors or on the basis of his or her own decision, the DPO is obliged to investigate all circumstances and activities that may affect its tasks and to report on these findings.

The group of advisory functions includes:

  1. General advice: in order to provide up-to-date information to the data controller or data processor, the data protection officer must regularly follow current news, decisions and legislative changes in the field of personal data processing and protection. In case of any new relevant information or change, the DPO is obligated to provide information to its client or employer, and shall remain available for any specific legal issues deriving from data protection law.
  2. Supporting data security measures: in order to enforce the principle of data protection by design and by default laid down in Article 25 GDPR, the Data Protection Officer must be involved in all processes that involve data security issues.
  3. Advice and monitoring on data protection policies, partnership agreements and data transfer to third countries: the Data Protection Officer is required to review all existing data protection documents, record related proposals thereof and take action to implement them provided that they are accepted by the controller or processor.
  4. Contributing to the development of codes of conduct and certifications: The development of codes of conduct is the responsibility of the controller and the processor, in which the DPO provides assistance through professional advice.

Finally, other general functions of the DPO, which may be distinguished independently, include:

  1. Cooperation with the supervisory authority: the DPO acts as the contact point between the supervisory authority and the controller or processor; The DPO has the right to contact the supervisory authority to request an opinion not only on the handling of personal data breaches, but also consult on any other issues related to its tasks.
  2. Handling requests from data subjects: The DPO investigates requests submitted to the controller or processor pursuant to Articles 15 to 22 of the GDPR.
  3. Information and awareness-raising: awareness-raising may be implemented two ways – by providing information internally and externally; internal information is provided by the DPO through training sessions for staff on their rights and obligations regarding the processing and protection of personal data, while external information is provided by the controller or processor through information materials prepared by the DPO and made available for public with the purpose to raise awareness among data subjects in a clear and understandable way. Planning and reviewing of the tasks of the DPO: in order for the DPO to be able to perform the above tasks effectively, it is recommended that the DPO draws up an annual plan to prepare for both planned and unplanned tasks and to modify it as necessary.

Tasks of the Data Protection Officer – Specific tasks

Practical experience shows that, in addition to the general tasks presented above, the data protection officer also performs a number of specific tasks (e.g., maintaining records of processing activities, performing a data protection impact assessment, assessing the risks of data protection incidents, preparing information documents according to Article 13 of the GDPR etc.) he would not be obliged to fulfill according to the law (and the responsibility therefore lies not with the DPO, but with the data manager or the data processor).

Based on the language and phrasing of the GDPR, the data protection officer basically performs a professional advisory and opinion forming-function, and there is no separate law stating that it is his duty to prepare the GDPR documentation of the data controller or processor. At the same time, the term “at least” appears in the list summarizing the duties of a data protection officer in Article 39 of the GDPR, which may suggest that the duties of a data protection officer are not limited to the tasks listed, but must also include all possible other tasks that may occur during the performance of and in connection with the DPO’s position. To define which tasks the DPO is entitled to perform that may not be determined as a function specifically relating to the DPO may be judged on a case-by-case basis, taking into account the specific rules governing the status of the DPO, in particular independence, non-sanctioning and liability, as well as conflict of interest. As explained above, the specific responsibilities of the DPO are properly represented by the following categorization:

1. Freedom of information

Chapter III of the Hungarian Privacy Act deals with the knowledge of data of public interest (and data accessible on public interest grounds) and related procedural rules. The Privacy Act does not specifically determine which organizational unit or employee of the public service body is responsible for investigating and responding to data requests. In practice, the DPO is instructed by the controller to perform these tasks. However, the question may arise as to whether the DPO appointed in accordance with the GDPR is authorized to act in such cases, taking into account the rules on conflicts of interest. In connection with the assessment of this inquiry, two separate cases may be taken into account: If the DPO personally investigated the data request based on its own account and responded to the requester, the conflict of interest rules set forth in the GDPR would be violated. However, if the controller is the one requesting the professional opinion of the DPO on a particular data request – and according to the engagement contract, or job description therein expressly provides for such involvement of the DPO, the action shall be deemed in line with the GDPR provisions on related data controller practices (provided that any personal involvement of the DPO in relation to the data request does not infringe the requirement of independence of functions).

2. Information security

Bodies subject to Act L of 2013 on the Information Security of State and Municipal  Bodies (hereinafter: “Ibtv.”) are obliged to appoint or entrust a person (an information security officer) responsible for the security of electronic information systems based on Section 11 (1) c) of the Act. The information security officer “shall be responsible for fulfilling all tasks occurring at the body, related to the security of electronic information systems”, according to Section 13 (2) of the Ibtv. Based on the definition of electronic information system or data set forth in the Ibtv, the scope of the tasks of the information security officer is broader than that of the data protection officer. While the information security officer is responsible for all data assets of the controller, the data protection officer is only responsible for tasks related to the protection of personal data processed by the controller. Therefore,the DPO cannot perform the tasks of the information security officer, given the different nature and functions of the two positions. If a controller were to employ the same person to perform the two functions, a conflict of interest would arise under the legal provisions applicable to the DPO.

3. Criminal offences

Two offences regulated in the Penal Code relating to personal data, namely misuse of personal data and information systems fraud, may require the DPO to take action in the context of investigating the data protection incident and providing information to the data subjects. In my view, the DPO may only act, i.e. compile and submit a personal data breach notification and comply with a controller’s instruction (or request), if the action does not breach the requirements of independence and conflict of interest, i.e. the professional statement on the criminal offence in question does not constitute a circumstance that would breach the GPDR compliant practice.

4. Communications regulation

Pursuant to Article 156(3) of Act C of 2003 on Electronic Communications (hereinafter: “Eht.“) in the event of a personal data breach, the electronic communications service provider must notify the Authority without delay. This procedure is subject to similar rules under the Eht. as the notification of data breaches under the GDPR. The data protection officer of a data controller or data processor also acting as an electronic communications service provider must be available in the event of a personal data breach, and must therefore, where applicable, make a notification to the National Media and Infocommunications Authority under the GDPR, given that the task involves personal data and it is a reasonable expectation that such service providers take proper actions.

dr. Miklós Péter
2024. 02. 22.

Do you have a question about data protection or the position of Data Protection Officer? Contact me!

dr. Miklós PéterGDPR lawyer / dmp@dmp.hu / +36306485521

HOME|INTRODUCTION|DATA PROTECTION|OTHER FIELDS OF PRACTICE|DATA PRIVACY BLOG|CONTACT

Privacy Notice | Impressum

This website is maintained by Dr. Miklós Péter Ákos, attorney at law registered in the Budapest Bar Association (registered office: 1028 Budapest, Piszke utca 14., tax number: 42982117-2-41, BAR ID number: 36079442) in accordance with the laws and internal regulations applicable to lawyers, which, together with information on client rights, is accessible at www.magyarugyvedikamara.hu. The blog posts and articles on the website do not constitute specific legal advice, an offer or a solicitation. It is intended to inform the website visitors about the areas of expertise of Dr. Miklós Péter Ákos attorney at law. The website has been prepared in accordance with the Hungarian Bar Association (MÜK) Presidium's Resolution No. 2/2001 (IX.3.) on the "Content of the website of the Hungarian Bar Association" and with the provisions of Chapter 10 of the MÜK's Rules of Procedure No. 6/2018 (26.III.). Legal notice​

Web: ZK DESIGN - Ügyvédhonlap