§ GDPR · Article 39

GDPR Article 39: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 39 · All obligations · GDPR
At a glance
Article 39 of the GDPR imposes 12 obligations on controller, data protection officer, processor.
§ Obligations

All obligations under Article 39

Obligation 1
The controller and processor shall provide resources necessary to carry out the data protection officer's tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
controller, processor
Action required
provide
Deadline
Penalty
Obligation 2
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
controller, processor
Action required
ensure
Deadline
Penalty
Obligation 3
The controller or the processor shall not dismiss or penalise the data protection officer for performing his tasks. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
controller, processor
Action required
refrain from dismissing or penalising
Deadline
Penalty
Obligation 4
The data protection officer shall directly report to the highest management level of the controller or the processor. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
report
Deadline
Penalty
Obligation 5
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
maintain confidentiality
Deadline
Penalty
Obligation 6
The controller or processor shall ensure that any other tasks and duties fulfilled by the data protection officer do not result in a conflict of interests. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
controller, processor
Action required
ensure
Deadline
Penalty
Obligation 7
The data protection officer shall inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
inform and advise
Deadline
Penalty
Obligation 8
The data protection officer shall monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
monitor
Deadline
Penalty
Obligation 9
The data protection officer shall provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
advise and monitor
Deadline
Penalty
Obligation 10
The data protection officer shall cooperate with the supervisory authority. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
cooperate
Deadline
Penalty
Obligation 11
The data protection officer shall act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
act as contact point
Deadline
Penalty
Obligation 12
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. Regulation (EU) 2016/679, Article 39, Article 39
Obligated entity
data protection officer
Action required
have due regard
Deadline
Penalty
§ Frequently asked

Questions about Article 39

Who must comply with Article 39 of the GDPR? +
controller, data protection officer, processor.
What does Article 39 of the GDPR require? +
provide ensure refrain from dismissing or penalising
Need a cross-border briefing on GDPR Article 39?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles