You have a complaint against an EU institution or body?

Decision of the European Ombudsman adopting implementing rules concerning the tasks, duties and powers of the Data Protection Officer

The European Ombudsman

Having regard to

(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the ‘Regulation’)[1], and in particular Article 45(3) thereof; and

(2) The European Data Protection Supervisor’s (the ‘EDPS’) Position paper on the role of Data Protection Officers of the EU institutions and bodies,

Has decided as follows:

Article 1 Designation of the DPO

1. The European Ombudsman shall designate a Data Protection Officer (hereinafter referred to as the ‘DPO’) among the staff members of the European Ombudsman on the basis of his or her personal and professional qualities, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. A Deputy DPO may be designated, following consultation with the DPO[2]. The DPO may have assistant staff.

2. The term of office of the DPO shall be of five years and shall be eligible for reappointment.

3. The contact details of the DPO shall be communicated to the EDPS and published on the European Ombudsman’s website.

4. The DPO who no longer fulfils the conditions required for the performance of his or her duties may only be dismissed by the European Ombudsman with the consent of the EDPS. The European Ombudsman shall establish that the DPO no longer fulfils these conditions upon proposal from the Secretary-General. For the purposes of obtaining the consent of the EDPS to such a dismissal pursuant to Article 44(8) of the Regulation, the EDPS shall be consulted in writing. A copy of that consent shall be sent to the DPO.

Article 2 Status of the DPO

1. The DPO reports to the Secretary-General of the European Ombudsman.

2. Without prejudice to paragraph 1, the DPO shall act in an independent manner. The DPO may not receive any instructions regarding the exercise of his or her tasks or be dismissed or penalised for performing those asks.

3. The European Ombudsman shall ensure that:

(a) the DPO is involved, properly and in a timely manner, in all issues which relate to data protection;

(b) the DPO has the time and resources necessary to carry out his or her tasks, and to maintain his or her expert knowledge; and

(c) there is no conflict of interests between the tasks and duties of the DPO as such and any other official tasks and duties that he or she may  perform.

4. The DPO and the related assistant staff are bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union law.

Article 3 Tasks, duties and powers of the DPO

1. The DPO shall inform and advise the European Ombudsman on the institution’s obligations pursuant to the Regulation and to other Union data protection provisions.

2. The DPO shall ensure, in an independent manner, the internal application of the Regulation and monitor compliance with the Regulation, with other applicable Union law containing data protection provisions and with the European Ombudsman’s policies in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.

3. The DPO shall ensure that data subjects are informed of their rights and obligations pursuant to the Regulation.

4. The DPO shall provide advice where requested as regards the need for

(a) a notification to the EDPS and/or a communication to the data subject of a personal data breach;

(b) a data protection impact assessment, monitor its performance, and consult the EDPS in case of doubt as to the need for a data protection impact assessment; and

(c) a prior consultation with the EDPS, and consult the EDPS in case of doubt as to the need for a prior consultation.

5. The DPO shall respond to requests from the EDPS and, within the sphere of his or her competence, co-operate and consult with the EDPS at the latter's request or on his or her own initiative.

6. The DPO shall ensure that the rights and freedoms of data subjects are not adversely affected by processing operations of which the European Ombudsman is the controller.

7. The DPO shall keep a central register of records of processing operations and of personal data breaches under the responsibility of the European Ombudsman. The DPO shall ensure that the register of records of processing operations is publicly accessible, also electronically. Upon request, records of processing activities of the European Ombudsman shall be made available to the EDPS.

8. The European Ombudsman, the Staff Committee and any individual may consult the DPO, without going through the official channels, on any matter concerning the interpretation or application of the Regulation, insofar as it relates to data processing activities of which the European Ombudsman is the controller. As far as possible, the DPO shall provide information that is understandable without specialist knowledge.

9. The DPO may make recommendations to the European Ombudsman for the practical improvement of data protection and give advice on matters concerning the application of data protection provisions to data processing activities of which the Ombudsman is the controller.

10. The DPO may, at his or her own initiative or at the request of the European Ombudsman, the Secretary General, the Staff Committee or any individual, investigate matters and occurrences directly relating to his or her tasks and which come to his or her notice, and report back to the person who commissioned the investigation or to the European Ombudsman. Such investigations shall respect the principle of fairness and the right of persons involved to express their views on facts concerning them.

11. Data subjects may contact the DPO with regard to all issues related to the processing of their personal data and to exercise their rights.

12. No one shall suffer prejudice on account of a matter brought to the attention of the DPO alleging that a breach of the Regulation has taken place.

13. In performing his or her duties, the DPO shall have access at all times to the data forming the subject-matter of processing operations and to all offices, data- processing installations and data carriers.

14. In the discharge of his or her functions in relation to processing carried out by another Union institution or body on behalf of the European Ombudsman, the DPO may cooperate with the data protection officer of the institution or body concerned.

Article 4 Entry into force

This Decision shall enter into force on the date of its adoption.

Done at Strasbourg, 09/10/2019

Emily O’Reilly


[1] OJ 2018 L 295, p. 39.

[2] Where a Deputy DPO is designated pursuant to this procedure, the expression ‘DPO’ shall be understood to mean both the DPO and the Deputy DPO.