Data Protection Officer (DPO)

The Data Protection Officer (DPO) is an important part of the legal framework created by the General Data Protection Regulation (GDPR).

Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO.

Furthermore, the former Article 29 Working Party adopted guidelines on DPOs on 5 April 2017, which have been endorsed by the European Data Protection Board (EDPB). These guidelines contain recommendations for controllers, processors and DPOs to which the CNPD adheres.

1. In which cases is it mandatory to appoint a DPO?

The designation of a DPO is mandatory in the following three cases:

the processing is carried out by a public authority or body, except for courts acting in their judicial capacity ;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Unless it is evident that an organisation is not required to designate a DPO, it is recommended that controllers and processors document the internal analysis carried out to determine whether a DPO is to be appointed.

As indicated in the first hypothesis above, any public authority or public body must designate a DPO if it processes personal data as a controller or processor.

This rule applies regardless of the size or number of employees of the public authority or body.

The concept of public authority and public body covers state administrations and departments, municipalities and other bodies governed by public law, such as public establishments.

2. What is meant by “core activities”?

The core activities relate to the main activities of the controller or processor and do not concern the processing of personal data as an ancillary activity. ‘Basic activities’ can be considered as essential operations necessary to achieve the objectives of the controller or processor.

Example: A bank’s core business involves processing its customers’ financial data. The bank must also process HR data of its employees, but this is an ancillary activity.

3. What is meant by ‘large scale’?

The GDPR does not define the notion of large scale. The guidelines recommend taking into account in particular the following factors:

the number of data subjects concerned - either as a specific number or as a proportion of the relevant population;
the volume of data and/or the range of different data items being processed;
the duration, or permanence, of the data processing activity;
the geographical extent of the processing activity.

Example of large scale processing: processing of patient data by a hospital (unlike processing of patient data by an individual physician).

4. What is meant by ‘regular and systematic monitoring’?

The GDPR does not define this concept, but it clearly includes all forms of tracking and profiling on the internet, including for behavioural advertising purposes. However, the concept of monitoring is not limited to the online environment.

Monitoring is regular when there is some repetition, periodicity, consistency or permanence.

Monitoring is systematic when it is methodically organised, pre-established or part of a strategy.

Example: A bank that must regularly and systematically monitor the evolution of its customers’ accounts and transactions, in particular in the context of its obligations related to the prevention of fraud, money laundering or terrorism financing.

5. Can a DPO be designated on a voluntary basis?

Yes, an organisation may designate a DPO on a voluntary basis. In this case, the requirements under Articles 37 to 39 GDPR apply to his or her designation, position and tasks as if the designation had been mandatory. Thus, there is no difference in status between DPOs designated on a mandatory basis and DPOs designated on a voluntary basis.

6. Who can be designated as a DPO?

The DPO may be a staff member of the controller or processor (internal DPO), or carry out their tasks on the basis of a service contract (external DPO).

The DPO must have the requisite professional qualifications, must perform their duties independently and must not carry out other tasks and duties which would give rise to a conflict of interests.

Public authorities or public bodies have the possibility, taking into account their organisational structure and size, to pool their DPO with other public authorities or public bodies. But in this case, each of the entities concerned will have to complete the DPO designation form and send it to the CNPD.

7. What are the professional qualities required?

The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.

The GDPR does not define precisely the necessary level of knowledge, but it must be commensurate with the sensitivity, complexity and amount of data that an organisation processes.

Relevant skills and expertise include in particular:

expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
understanding of the processing operations carried out by the organisation;
understanding of information technologies and data security;
knowledge of the business sector and the organisation;
ability to promote a data protection culture within the organisation.

8. What is a ‘conflict of interest’?

The DPO may carry out other tasks and duties, provided that they do not give rise to a conflict of interest. The DPO cannot perform a function within the body that would lead them to determine the means (how?) and purposes (why?) of data processing. This must be considered on a case-by-case basis.

Examples of functions that may be considered incompatible with the DPO function: All managerial functions such as Director-General, Operational Director, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of Human Resources or Head of IT, but also other roles at a lower level of the organisational structure if these functions or roles involve the determination of the purposes and means of processing. The activity of processor and (external) DPO for the same controller may also give rise to a conflict of interest.

In addition, the conflict of interest may arise from a previous function carried out by the DPO (e.g. an RSSI that becomes DPO and which would have to control the processing operations that they themselves have put in place in the context of their previous function).

9. Must the DPO be approved by the CNPD?

No, the CNPD does not approve DPOs. The controller or the processor shall simply communicate the DPO’s contact details to the CNPD.

However, the CNPD may monitor whether controllers or processors comply with Articles 37 to 39 GDPR regulating the designation, position and tasks of the DPO.

10. What happens to the former data protection officer?

The repealed Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data allowed the controller to appoint, on a voluntary basis, a ‘data protection officer’. The DPO is the natural successor to the data protection officer, but there are differences in designation, function and duties.

With the entry into application of the GDPR on 25 May 2018, the function of the data protection officer was automatically terminated. No approach to the CNPD is necessary for this purpose.

However, the former data protection officer does not automatically take over the function of DPO. Data controllers and processors must comply with Articles 37 to 39 of the GDPR, and in particular communicate the contact details of the DPO to the CNPD.

11. What is meant by an obligation to publish the contact details of the DPO?

Any controller or processor must provide the data subjects with the contact details of their DPO in order to enable them to exercise their rights with regard to the protection of personal data. However, there is no obligation to make public the identity of the DPO.

The contact details of the DPO must contain information enabling the persons concerned to reach the DPO easily. For example, an e-mail address specific to the DPO can be created, making it possible to ensure that requests from data subjects are received correctly.

Other means of communication may be considered, such as specific telephone assistance, or a contact form specifically addressed to the DPO on the organisation’s website.

In addition, the contact details must be easily accessible. For this, several means can be envisaged, such as a contact email address indicated in the data protection policy available on the body’s website, a reminder of contact details in newsletters, etc.

12. What is meant by the obligation to communicate the DPO’s co-ordinates to the supervisory authority?

The contact details of the DPO must be communicated to the CNPD as soon as they take up their duties. In the event of a change of DPO, the controller or processor must also notify the CNPD immediately.

To do so, the CNPD recommends using the form available on its website under the following link: ; and return it signed to the following address: declarationdpo@cnpd.lu.

The identity of the DPO must necessarily be indicated in the designation form, the DPO being the main point of contact between the CNPD and the body concerned.

13. What is meant by ‘resources needed’ for the DPO to carry out its tasks?

The GDPR specifies that the controller or processor assists the DPO in carrying out their tasks by providing them with the necessary resources to carry out their tasks but does not give clear indications on the time that must be allocated to the DPO’s tasks.

In the event that the organisation considers that less than 1 full-time equivalent (FTE) would be sufficient to carry out all the tasks of the DPO, it is good practice to set a percentage of time devoted to the DPO function and to justify the percentage chosen. This analysis is all the more important when the DPO combines another function within the organisation.

In addition, the DPO must have easy access to other services, such as human resources, legal service, IT, security, etc., so as to be able to rely on the support, contributions and essential information of these other services.

If the DPO has a data protection team, the internal structure of the team and the tasks and responsibilities of each of its members must be clearly established.

14. What is meant by the concept of autonomy of the DPO?

The DPO shall not be instructed in the performance of its duties.

If the controller takes decisions that are incompatible with the GDPR and the DPO’s opinion, the DPO should have the possibility to clearly indicate a diverging opinion at the highest level of management and to decision-makers.

15. What is meant by the concept of the involvement of the DPO in all data protection matters?

The DPO should be involved at the earliest possible stage in all data protection matters. For this, the DPO must necessarily be informed and consulted in the context of the implementation of any new project that would involve the processing of personal data.

To this end, the DPO may participate in the various committees/working groups in order to enable them to be directly and fully informed (e.g. participation in Management Committees, Project Coordination Committees, New Product Committees, Security Committees or any other committee deemed useful in the context of data protection).

16. What is meant by the DPO’s fact-finding and advisory missions?

The DPO must inform and advise the controller or processor, as well as employees about their data protection obligations.

To this end, the DPO may, for example, put in place a formal reporting of their activities to the Management Committee and an adequate data protection training scheme for staff.

17. What are the DPO’s control tasks?

The DPO must monitor compliance with the GDPR. To achieve this, they can, for example, draw up a control plan based on a defined frequency. This plan makes it possible to define a control strategy and not to lock the DPO in a reactive role.

18. What to do if the DPO resigns?

For entities subject to the obligation to appoint a DPO, any vacancy must be filled as soon as possible. It is recommended to initiate the process of replacing the DPO as soon as they become aware of their departure, in particular at the beginning of their notice.

Form: Declaration of the Data Protection Officer

Since the entry into application of the GDPR on 25 May 2018, controllers and processors have to communicate the contact details of their designated Data Protection Officer (DPO) to the CNPD.

A form allowing organisations to send their DPO's details to the CNPD can be downloaded below.

The completed and signed form should be sent to declarationDPO@cnpd.lu.

Please note that the form shall be signed by a representative of the controller/processor and not by the DPO himself/herself. Furthermore, it is not necessary to submit any other documents, such as a copy of the identity card or of diplomas.

Information on the processing of personal data