🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 38 of the GDPR: Status of the data protection officer (DPO)

Home News Article 38 of the GDPR: Status of the data protection officer (DPO)

Article 38 of the GDPR: Status of the data protection officer (DPO)

Summary

Article 38 of the GDPR regulates the status and conditions of exercise of the data protection officer (DPO). It guarantees its independence and its ability to fulfill its missions without conflict of interest or hierarchical pressure.

Article 38 of the GDPR explained

The controller or processor must ensure that:

  • The DPO is involved in all matters relating to data protection in a timely manner;
  • He has the resources necessary to carry out his missions (time, budget, training...);
  • He does not receive no instructions as for the exercise of its missions;
  • It doesn't be not sanctioned or fired for the exercise of its missions;
  • He exercises his functions in complete independence, without conflict of interest.

Data subjects can freely contact the DPO for any questions relating to the processing of their data.

Why is this article important for your GDPR compliance?

Respect for the status of the DPO is one condition of validity of its designation. A hierarchically dependent DPO or prevented from acting freely would compromise organizational compliance.

How to comply with Article 38 of the GDPR?

  • Formalize the independence of the DPO in his contract or mission letter;
  • Provide direct access to management and necessary information;
  • Plan a budget and resources adapted to your role;
  • Avoid any conflict of interest (the DPO should not decide on data processing himself).

Examples of application of Article 38 of the GDPR

  • An internal DPO attends management committees and is consulted on any new digital project;
  • A company entrusts the DPO function to an external entity via a dedicated service contract;
  • The DPO has direct access to all processing and can meet the CNIL independently.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject