Businesses and public organisations must take steps to ensure the best possible protection for personal data. To control the governance of personal data within the organisation, a Data Protection Officer (DPO) may need to be appointed.

The role of the DPO is to prevent the risks inherent in the processing of personal data from materialising. They must be appointed on the basis of their professional qualifications. There is no standard profile for DPOs. They could come from a technical background, a legal background, or some other background.

The DPO must be appointed:

• on the basis of their professional qualifications and, in particular, their specialist knowledge of the law and practices in terms of data protection; and
• the ability to accomplish the job they are tasked with.

Anyone whose personal data is processed may contact the relevant DPO with any questions they may have about the processing of their data and exercising their rights.

Data controllers (responsible for the processing of personal data) and processors must provide the National Commission for Data Protection (Commission nationale pour la protection des données – CNPD) with the contact details of the DPO.

Who is concerned

The appointment of a DPO is compulsory for:

• public organisations and public authorities;
• companies whose core business, on account of its nature, scope and/or purpose, requires them to regularly and systematically monitor data subjects on a large scale;
• companies whose core business requires them to engage in large-scale processing of "sensitive" data or data on criminal convictions or offences.

Tribunals acting in their legal capacity are not bound to this obligation.

However, all business are encouraged to appoint a DPO since, in doing so, they would be entrusting the responsibility for identifying and coordinating data protection-related actions to an expert.

Prerequisites

The DPO must possess the skills and qualifications required to carry out their duties, i.e.:

• the ability to communicate effectively and act independently in carrying out their duties;
• expertise in legal matters and practices in the area of data protection. The degree of expertise must be commensurate with the activity in which the organisation is engaged, and the sensitivity of the processing operations;
• good knowledge of the organisation's sector of activity, organisational structure and, in particular:
  • processing operations;
  • information systems;
  • the organisation's needs in terms of data protection and data security.
• sufficient authority within the organisation to be able to:
  • report directly to the highest echelons in the organisation;
  • coordinate a network of relay persons within the subsidiaries of a group, for example, and/or an in-house team of experts (IT expert, legal expert, communications expert, translator, etc.).

Costs

A DPO-appointment notification may be filed with the CNPD free of charge.

How to proceed

Submitting the DPO-appointment notification

The DPO-appointment notification form, duly filled in and signed, must be sent by email to: declarationDPO@cnpd.lu.

Role of the DPO

The DPO's main duties include:

• informing and advising the data controller or processor, as well as their employees;
• ensuring that, in matters concerning the protection of personal data, the data processing operations conducted under the authority of the data controller or the processor are compliant with the General Data Protection Regulation (GDPR) and national data-protection laws. In particular, where the distribution of responsibilities is concerned, heightening awareness among and training staff involved in data-processing operations, and carrying out audits; 
• cataloguing the data-processing activities engaged in by their business/organisation;
• advising data controllers on conducting data-protection impact assessments, and checking the implementation of those assessments;
• devising awareness-raising actions;
• cooperating with the CNPD and acting as the latter's point of contact. The DPO must also facilitate CNPD access to documents and/or information for the purpose of investigating a claim, or if further details or clarification are needed for an ongoing project, etc.;
• evaluating the risks associated with the absence of protection in the data processing operations in place. In carrying out their duties, the DPO must consider the risks associated with processing operations that could affect the nature, scope, context and purposes of the processing.

Means of action available to the DPO

The DPO must have the support of the organisation which appointed them.

The data controller or the processor must:

• ensure that the DPO is involved in all matters relating to data protection (e.g. internal and external communication on the DPO's appointment);
• provide the DPO with the resources they need to carry out their duties (training, time, financial resources, teams, etc.). In particular, the data controller or the processor must provide the DPO with opportunities to keep abreast with developments in the field of data protection;
• allow the DPO to act independently (sufficiently senior position, no sanctions for carrying out their duties);
• facilitate the DPO's access to data and processing operations (facilitate access to other departments in the organisation);
• ensure that there are no conflicts of interest (the DPO may not occupy positions within the organisation that would give them a say in determining the purpose of and the resources allocated to processing. They cannot be both judge and party).

For example, the following positions may give rise to a conflict of interest: secretary-general, director-general for services, director-general, operations director, financial director, chief medical officer, head of marketing, head of human resources, head of IT.

A conflict of interest may also arise, for instance, if a DPO, engaged under a service agreement, represents the organisation in court in cases involving personal-data issues.

The DPO reports directly to the most senior management of the data controller or the processor.

Method of appointing the DPO

A group of businesses may appoint a common DPO provided that the latter can be easily contacted from any of the sites of the businesses in the group. The DPO must be able to communicate effectively with all persons concerned, and to cooperate with the supervisory authority.

When the data controller or the processor is a public authority or public body, a single DPO may be appointed for several such authorities or bodies, depending on their organisational structure and size.

The DPO may:

• be on the data controller's or the processor's staff (internal DPO);
• carry out their duties under the terms of a service agreement (external DPO) (such as a lawyer).

Obligations

The DPO is bound by a duty of professional secrecy or an obligation of confidentiality in the course of their duties.

The DPO may carry out other missions and tasks, provide they do not give rise to conflicts of interest.

The position of DPO may be a full-time or a part-time job.

The data controller or the processor must publish the DPO's contact details, and communicate them to the CNPD.

Sanctions

The DPO must act independently and be sufficiently protected in the course of their duties.

Note: The DPO is not a "protected" employee in the meaning of the Labour Code. Like any other employee, they may be legitimately dismissed for reasons that have nothing to do with their duties as DPO. 

The DPO is not liable for non-compliance with the GDPR. Only the data controller or the processor is required to ensure, and be in a position to demonstrate, that personal data is being processed in compliance with the GDPR.

Forms / Online services

Who to contact