The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of [their] tasks.
For instance, the A29WP highlights that DPOs must not be instructed on, inter alia:
- what result should be achieved;
- how to investigate a complaint;
- whether to consult the supervisory authority; or
- to take a certain view of an issue related to data protection law.
In addition, Article 38.3 of the GDPR states that “the data protection officer shall directly report to the highest management level of the controller or the processor”.
Whereas data protection officers are independent and report to the highest level, this does not mean, however, that they have decision-making powers extending their tasks; controllers and processors are the entities or individuals responsible for compliance with data protection laws.
Finally, to reinforce the independence of DPO’s the GDPR protects them from being dismissed or penalised by the controller or the processor for performing their tasks.
A penalty here should be constructed not only as dismissal or a financial cost, but also indirect varieties such as an absence or delay of promotion, prevention from career advancement or a mere threat thereof.