Some time ago I was presented the opportunity to act as an external DPO for a Belgian SME. After the required interviews the CEO presented me a contract with a processor agreement added by the company’s external law firm.
Unexpected I must admit. Apart from a couple of interesting idea exchanges with legal experts I never had assumed the possibility that I might be presented a processor agreement to start a DPO assignment. I didn’t sign the contract at that point but requested some time to look into it and gave the CEO my motivated view on the matter.
Let me start by saying that it is my strong opinion the external DPO is not a processor under GDPR but that this is a separate role next to processor and controller. The discussion in this article should obviously be limited to the external DPO meaning that ‘DPO’ in this article is to be read as ‘external DPO’
Looking at the definition of the processor in Art. 4 it might be assumed that the possibility exists that a DPO is a processor as the definition is only discussing processing of data but is this enough ? Art. 29 on the other hand clearly states that (abbreviated) ‘a processor shall not process the personal data except on instructions from the controller’. Would the instruction ‘Do your job’ be what the legislator had in mind ? I don’t believe so as can be read in Art. 28.3.a. : ‘the processor processes the personal data only on documented instructions of the controller’. This is contrary to Art. 38.2. which states that a DPO shall not receive any instructions regarding the exercise of his/her tasks. The DPO must on the other hand be supported by the controller/processor that assigned him/her in performing the tasks as described in Art. 39 which is not the same as ‘working under instruction’. There is no need for a separate processor agreement to describe the tasks of a DPO.
Furthermore Art. 28.3 sets out that a contract between the controller and processor is required describing the nature and purpose of the processing (= role of DPO in this case), the type of personal data, categories of data subject etc, etc. Does this mean the controller/processor who appoints an DPO may exclude certain types of personal data and categories of data subjects for the DPO to process ?
Thinking further : a processor can also be required to assign a DPO meaning that in case the DPO would be a processor it could be required that he/she also needs to assign a DPO ? Where would that end ? A (never ending) chain of DPO’s ?
Of course as described in Art. 39.2. the DPO must have due regard to the risks associated with his/her tasks and carries as such indeed responsibility for what the implementation of technical and organizational measures concern to ensure that the processing is performed in accordance with the GDPR. But this does not require a specific processor addendum to the contract.
My conclusion : nowhere in the regulation I could find an article that defines or even suggests that the DPO is or should be a processor. The role of the DPO is a single role just as there are processors or controllers. This specific role is in my opinion not compatible with the requirements of being a processor and as such the DPO can’t be a processor.
I’m sure some of the readers of this article will think differently and I’ll be happy to hear from you and your motivations.