§ GDPR · Article 39
GDPR Article 39: Obligations, Deadlines & Penalties
At a glance
Article 39 of the GDPR imposes 12 obligations on controller, data protection officer, processor.
§ Obligations
All obligations under Article 39
Obligation 1
The controller and processor shall provide resources necessary to carry out the data protection officer's tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
controller, processor
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 2
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
controller, processor
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 3
The controller or the processor shall not dismiss or penalise the data protection officer for performing his tasks.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
controller, processor
- Action required
-
refrain from dismissing or penalising
- Deadline
-
—
- Penalty
-
—
Obligation 4
The data protection officer shall directly report to the highest management level of the controller or the processor.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
report
- Deadline
-
—
- Penalty
-
—
Obligation 5
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
maintain confidentiality
- Deadline
-
—
- Penalty
-
—
Obligation 6
The controller or processor shall ensure that any other tasks and duties fulfilled by the data protection officer do not result in a conflict of interests.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
controller, processor
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
The data protection officer shall inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
inform and advise
- Deadline
-
—
- Penalty
-
—
Obligation 8
The data protection officer shall monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
Obligation 9
The data protection officer shall provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
advise and monitor
- Deadline
-
—
- Penalty
-
—
Obligation 10
The data protection officer shall cooperate with the supervisory authority.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
cooperate
- Deadline
-
—
- Penalty
-
—
Obligation 11
The data protection officer shall act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
act as contact point
- Deadline
-
—
- Penalty
-
—
Obligation 12
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Regulation (EU) 2016/679, Article 39, Article 39
- Obligated entity
-
data protection officer
- Action required
-
have due regard
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 39
Who must comply with Article 39 of the GDPR?
+
controller, data protection officer, processor.
What does Article 39 of the GDPR require?
+
provide ensure refrain from dismissing or penalising