Your Right to Contact the Data Protection Officer
This piece was written by Fred Logue of FP Logue Solicitors and first published on LinkedIn. It is reproduced here with permission.
As a data subject you have the right to contact the Data Protection Officer of an organisation which is processing personal data concerning you.
This right is set out in Article 38(4) of the GDPR.
38(4) Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
Being able to contact the DPO is an important data subject right that is often overlooked.
The DPO’s job is to monitor compliance and advise the controller as a way of compensating for the significant imbalance between the controller and the data subject. Only some categories of controllers, including all public authorities, are required to have a DPO but these are usually the organisations where the risks to data subjects are the greatest.
The controller must guarantee that their DPOs are properly resourced, that they are not under instruction in relation to their tasks and that they have access to the highest levels in their organisation. This ensures that DPOs can act independently and effectively in the interest of data protection compliance.
If the data subject has any queries or issues he or she has a right to contact the DPO about all issues relating to the processing of their personal data and the exercise of their rights. For example you might not understand or agree with a request to exercise your rights, in which case you can contact the DPO.
Many organisations are not identifying their DPO or are making it hard for them to be contacted, which is in breach of the GDPR.
For EU institutions and agencies the European Data Protection Supervisor maintains a list of DPOs. Hopefully the Irish Data Protection Commission will follow suit with a list of Irish public-sector DPOs, thereby increasing transparency and making it easier for individuals to exercise their rights.
If an organisation has a Data Protection Officer then the contact details of the DPO must be published. This is part of your Right to Information.
Read more elsewhere
The European Data Protection Board has published detailed guidelines on Data Protection Officers which you can read here.
Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)