Under GDPR Articles 35 and 39, organizations with a Data Protection Officer (DPO) must consult them when conducting a Data Protection Impact Assessment (DPIA). However, controllers are not required to follow the DPO’s advice.
Role of the DPO in a DPIA
WP29 DPIA guidance clarifies that:
- The DPO’s advice and the controller’s final decision must be documented in the DPIA.
- The DPO assists with:
- Determining if a DPIA is needed.
- Choosing the DPIA methodology.
- Reviewing whether the DPIA was properly conducted.
National SA Guidance on DPO Involvement
- Maltese SA: DPIA template includes a dedicated space for the DPO’s comments and signature.
- Swedish SA: The DPO must be consulted but ultimate responsibility remains with the controller.
- German SA: The DPO should advise the DPIA team, conduct a final review, and report findings to management.
Key Takeaways
- DPOs play a supporting and monitoring role, not a decision-making one.
- Controllers must document DPO input, even if their advice is not followed.
- National regulators reinforce the DPO’s advisory function but clarify that accountability remains with the controller.
By properly involving the DPO, organizations ensure a transparent, well-documented, and GDPR-compliant DPIA process.