Audit of Data Protection Officer appointment

When checking compliance with the GDPR, the Polish Data Protection Authority examines not only the fulfillment of the most common obligations, such as having a proper legal basis, providing necessary information on processing personal data or securing personal data. One of the core elements of the data protection authority's audit is also verification of compliance with the provisions on the proper appointment and functioning of the DPO in an organisation. The subject of such audit concerns, i.a.:

• the obligation to appoint a DPO,
• notification to the supervisory authority of the appointment or dismissal of the DPO,
• the publication of the name of the DPO on the website of the entity designating the DPO,
• the role of the DPO in the internal structure of the organisation concerned,
• the involvement of the DPO in personal data protection matters,
• the existence of conflicts of interest.

Doubts and questions as to the status of the DPO that have arisen since the entry into force of the GDPR have formed the basis for the supervisory authority to develop a detailed list of questions in the light of which the authority verifies issues concerning the appointment of the DPO.

As part of our audit of the principles for appointing a DPO and ensuring that the DPO performs his or her functions, we are examining the extent to which the entity that appointed DPO fulfills the issues referred to in the 27 questions presented by the Polish supervisory authority (UODO).

1. Has the controller appointed a Data Protection Officer (DPO)?
2. Is there an obligation on the controller to appoint a DPO (if so, on what legal basis) or has a DPO been appointed in the absence of such an obligation?
3. Has the controller published the name and contact details of the DPO on its website or, if it does not have a website, in a manner generally accessible at the place of establishment of the controller?
4. Is the above information in a publicly accessible place (please indicate the place, in case of a website, indicate its address and link to this information)?
5. Is the DPO an employee of the controller and, if not, on what legal basis does he/she perform his/her duties?
6. Has the DPO been appointed exclusively with the controller or does he/she also perform his/her duties with other controllers?
7. On the basis of which qualifications has the controller appointed the DPO (e.g. education, experience, knowledge)?
8. What necessary resources referred to in Article 38(2) of Regulation 2016/679 does the controller provide to the DPO?
9. How does the controller provide resources to maintain the expertise of the DPO?
10. What position does the DPO hold and to whom does he/she report within the controller's organisational structure?
11. Has the controller appointed a deputy DPO, if so, when?
12. Does the controller have a DPO team or other form of ongoing support for the DPO in carrying out his/her tasks?
13. How does the controller ensure that the DPO is appropriately and promptly involved in all data protection matters (e.g., have rules been developed on what matters are to be consulted with the DPO, who should come forward to consult the DPO and in what situations, does the DPO participate in management meetings and on what terms)?
14. How does the controller provide the DPO with access to personal data and processing operations?
15. Has the controller adopted any internal regulations regarding the functioning of the DPO (in particular to ensure respect for the guarantees of his/her independence and his/her powers regarding access to personal data and processing operations, involvement in all matters concerning personal data protection, avoidance of conflicts of interest) and, if so, in which internal act have they been provided for?
16. How does the controller ensure that no instructions are given to the DPO on the performance of the DPO's tasks?
17. How does the controller ensure that DPOs are not sanctioned or dismissed for carrying out their tasks?
18. How does the controller deal with cases where the guidance or recommendations of the DPO are not taken into account, e.g. does it document the reasons for not following the guidance?
19. How can data subjects contact the DPO in accordance with Article 38(4) of Regulation 2016/679?
20. Does the DPO also perform other duties or exercise another function in addition to his/her data protection duties, if so:(a) which and how much time does the DPO perform the role of DPO, and which other tasks,(b) how has the controller assessed that for each of these tasks there is no conflict of interest as referred to in Article 38(6) of Regulation 2016/679?

    (c) In performing the other tasks, does the DPO report to persons other than the administrator's top management?

21. Has the controller developed a policy for managing conflicts of interest or implemented any other mechanism to ensure that there are no conflicts of interest?
22. Does the DPO perform his/her tasks only on the controller's premises and, if not, where and how is it ensured that the DPO is permanently available to the administrator's management and staff?
23. Has the DPO developed (systematically develops) a plan for his/her work, e.g. in terms of training, audits?
24. Has such a plan been presented to the controller to enable an assessment to be made as to whether the DPO has sufficient resources and authority in the areas that the DPO covers?
25. How often and how does the DPO communicate the results of the audits carried out to the controller?
26. Has the controller requested the DPO to provide recommendations for data protection impact assessments, and if so, in which situations?
27. Does the controller control the work of the DPO, and if so, how?

As part of the audit, we will also prepare an appropriate summary of the degree to which the above issues are met, in which:

• we indicate to what extent the appointment or functioning of the DPO in a given organisation does not meet the conditions examined by the DPA
• we recommend what actions should be taken to eliminate the observed risk of non-compliance and avoid it in the future