13 February 2020
A DPO's job is to ensure that you're meeting the requirements put in place by the GDPR. It is a specialist position that requires independence but also access to the resources required to get the job done.
If you need a DPO, then you also need to formally nominate them in writing. We'll show you what a DPO is, how to determine whether you need one, and how to put together a complaint Appointment of Data Protection Officer Letter in a flash.
A data protection officer (DPO) is an internal compliance position that monitors your data protection obligations under the GDPR.
Your DPO must be four things:
You can hire a DPO to work internally or nominate someone already inside your organization to fill the role. You can also use an externally appointed DPO and even share one DPO between several organizations often by hiring a dedicated DPO service.
Why choose to nominate a DPO?
A DPO is a valuable member of a team because they specialize in demonstrating that your company is compliant with the GDPR. They help your organization remain accountable so that you can protect data and avoid fines.
Remember: the fines are steep. Violations of the GDPR, including failing to nominate a DPO when you legally need one, can total up to two percent of your annual global turnover or up to 10 million euro.
A DPO benefits almost any organization working with data, but it's not mandatory unless you meet certain conditions set out by the GDPR.
You'll find the list of requirements in the original legal language in Article 37 of the GDPR.
In short, it says that you need a DPO if you are a public authority or if you carry out specific data processing activities that are:
You can appoint a DPO regardless of whether or not you meet the characteristics laid out by law. However, even if your appointment is voluntary, then your DPO must fulfill the role according to the law as if the role is mandatory.
A DPO has overarching tasks laid out in Article 39 of the GDPR. A DPO must:
Have you chosen or are you required to appoint a data protection officer? The GDPR requests that you keep a written record of the appointment, which can be a copy of your appointment letter.
A data protection officer appointment letter needs to include the following parts:
Ecomply provides a brief example of a DPO appointment letter.
Their letter provides a helpful example of concisely blending the essential information into one paragraph:
"The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer - as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR."
The letter then goes on to say what it is the DPO will do for the company:
"Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.
In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR."
By mentioning the article of the legislation that lays out the minimum duties, the author of the letter ensures that their DPO is compliant with the legislation regardless of whether they legally need a DPO.
Finally, the letter mentions an unmissable piece of the legislation - the need for the DPO's independence:
"Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required."
You don't need to list all the duties and job roles because the DPO role isn't customer-facing. However, it is helpful to do when you hire or nominate internally because it provides a baseline for reference.
You might also choose to add these sections in detail when you have your own requirements for the job (as long as those details don't clash with the GDPR).
If you need a DPO, then it's not enough to appoint an employee or hire a service. You need to formally nominate them with a letter to remain compliant with the GDPR.
These letters are easy to put together, and they only require a few essential details like the name of the data controller and the name and contact of the DPO. The level of detail required beyond that can remain at referencing the relevant articles of the GDPR, or diving deep into what you expect from the role.
Remember that your letter is the difference between compliance or facing a fine of millions of euros, so don't put this simple task off any longer.
This free, downloadable template helps you get started with:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.