Art. 37 DPO ≠ Art. 27 Representative
We understand the business pressures to streamline a supply chain and gain efficiencies from having vendors perform multiple tasks. However, the European Data Protection Board's (EDPB) guidance indicates that there is one such combination that would not be permitted under the GDPR -- outsourcing the role of a Data Protection Officer (DPO) and a controller/processor's representative to the same external provider. We explain the details below.
If you have made the determination that the designation of a DPO is necessary given your activities as a controller or processor (see GDPR, Article 37), then care must be exercised to ensure your DPO can fulfill their duties with the required level of autonomy and independence. The EDPB highlights these expectations --
"Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO 'does not receive any instructions regarding the exercise of [his or her] tasks'. Recital 97 adds that DPOs, 'whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.'"
Guidelines 3/2018 on the territorial scope of the GDPR (Nov. 2019) ("Guidelines"), p24.
These roles of the DPO are significantly different than the role of representative. A representative is, contrast, "subject to a mandate by a controller or processor and [is]... acting on its behalf and therefore under [their client's] direct instruction." Accordingly, the EDPB concludes that --
"The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner."
Guidelines, at p24.
If you may be considering outsourcing your DPO and representative function to the same external provider, please review the EDPB's guidance and consider the services of an independent representative, such as EUPR.
DISCLAIMER: The above analysis contains EUPR’s review of relevant legal documents and intended to be informative, but is not legal guidance to EUPR clients or any other persons. We recommend that all clients conduct their own analysis independently with their own counsel. EUPR does not provide legal advice or services.