You have a complaint against an EU institution or body?

Decision of the European Ombudsman adopting implementing rules concerning the tasks, duties and powers of the Data Protection Officer


Having regard to:

(1) Article 195 of the Treaty establishing the European Community and Article 107d of the Treaty establishing the European Atomic Energy Community;

(2) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data;(1)

Whereas the Ombudsman appoints a data protection officer (DPO), to carry out the functions laid down in Article 24 of Regulation 45/2001 ("the Regulation"), in accordance with the provisions of that Article;



1. The DPO shall be selected on the basis of his or her personal and professional qualities, including expert knowledge of data protection.

2. The DPO shall be appointed for a term of two years and eligible for reappointment up to a maximum total term of ten years. With the consent of the European Data Protection Supervisor, the Ombudsman may dismiss a DPO who no longer fulfils the conditions required for the performance of his or her duties.

3. The European Ombudsman shall ensure (a) that there is no conflict of interests between the duties of the DPO as such and any other official duties that he or she may perform and (b) that the DPO has the time and resources necessary to carry out his or her duties.

4. The tasks of the DPO are:

(a) to ensure that the Ombudsman and data subjects are informed of their rights and obligations pursuant to the Regulation;

(b) within the sphere of his or her competence as DPO and subject to (c) below, to respond to requests from the European Data Protection Supervisor and to co-operate with the European Data Protection Supervisor at the latter's request, or on his or her own initiative;

(c) to ensure in an independent manner the application of the provisions of the Regulation: the DPO shall neither seek nor take instructions in the performance of his or her duties;

(d) to maintain a public register of the processing operations carried out by the Ombudsman, containing the items of information referred to in Article 25(2) of the Regulation;

(e) to notify the European Data Protection Supervisor of any processing operations likely to present specific risks within the meaning of Article 27 of the Regulation.

In performing the above tasks, the DPO shall have as an objective that the rights and freedoms of data subjects are unlikely to be adversely affected by processing operations of which the Ombudsman is the controller.

5. The Ombudsman, the Staff Committee and any individual may consult the DPO on matters concerning the interpretation or application of the Regulation, insofar as it relates to data processing activities of which the Ombudsman is the controller. As far as possible, the DPO shall provide information that is understandable without specialist knowledge.

6. The DPO may make recommendations to the Ombudsman for the practical improvement of data protection and give advice on matters concerning the application of data protection provisions to data processing activities of which the Ombudsman is the controller.

7. The DPO may, at his or her own initiative or at the request of the Ombudsman, the head of the finance and administration department, the Staff Committee or any individual, investigate matters and occurrences directly relating to his or her tasks and report to the person who requested the investigation and to the Ombudsman. Such investigations shall respect the principle of fairness and the right of persons involved to express their views on facts concerning them. No one shall suffer prejudice as a result of bringing a possible breach of the Regulation to the attention of the DPO.

8. In performing his or her duties, the DPO shall have access at all times to the data forming the subject-matter of processing operations and to all offices, data-processing installations and data carriers. The DPO shall not divulge information or documents obtained in the course of his or her duties.

9. In the discharge of his or her functions in relation to processing carried out by another Community institution or body on behalf of the Ombudsman, the DPO may cooperate with the data protection officer of the institution or body concerned.

10. These rules shall be published on the Ombudsman's website. An announcement of their adoption shall be published in the Official Journal.

Done at Strasbourg, 3 September 2002


Jacob Söderman

(1) 2001 OJ L 8/1.