The management of an organization is responsible for the handling of personal data and correct compliance with the AVG. It can be supported in this by an employee with a specific set of tasks, often called Privacy Officer (PO). In a number of cases, such as government agencies and organizations that process personal data on a large scale, the organization is required by law to appoint a Data Protection Officer (DPO).
The management of an organization is responsible for handling personal data and complying with the GDPR. It can be supported in this by a Privacy Officer (PO). In a number of cases, such as government agencies and organizations that process personal data on a large scale, the organization is required by law to appoint a Data Protection Officer (DPO).
So what exactly is the difference between a PO and a DPO?
| Privacy Officer | Data Protection Officer | |
|---|---|---|
| Role | First line Delegated responsible | Second line Independent advisor Formal role, registered with the Personal Data Authority (AP) |
| Focus | Proactive advice and thinking from the perspective of organizational interests | Independent signaling and reporting |
| Tasks | – The privacy officer not only monitors the handling of personal data, but also has an advisory role. – Advise staff on privacy-related matters and provide training to increase internal knowledge in this area. – Assist in conducting a Data Protection Impact Assessment (DPIA) and in assessing and reporting data breaches. – Liaise with data subjects and the AP. – Drafting, evaluating and updating privacy policies and processor agreements. | – Supervise the handling of personal data and report on this to management. – Advise staff on privacy-related issues and provide training to increase internal knowledge in this area. – Assist in carrying out a Data Protection Impact Assessment (DPIA) and in assessing data breaches. – Liaise with data subjects and the AP. |
| Other requirements | – The DPO may not receive instructions regarding the performance of his duties. – Dismissal or other sanctions as a result of the performance of the DPO’s duties are not permitted, except in the case of poor performance. – The DPO may not hold outside positions that could potentially lead to conflicts of interest. |
The above comparison shows well how much overlap the two positions have. The main difference is that the Data Protection Officer focuses on oversight, while the Privacy Officer also has an important role in policy development and implementation. Ideally, the roles of PO and DPO should remain separate. The executive role of the PO may cause him to experience pressure from within the organization. After all, independently assessing whether self-created policies are adequate and complied with is almost impossible. Therefore, even organizations for whom it is not mandatory in practice often choose to appoint a DPO as an independent supervisor.
We are happy to help you determine which officer is best suited for your organization. Contact our privacy specialists without obligation or read more about our External Privacy Officer and External Data Protection Officer services.
