In view of the fact that in cases of processing of personal data considered by the Authority the controllers often request to be represented by the Data Protection Officer (DPO), the Authority notes the following:
Data Protection Officers are a key component of the new system of personal data governance, as developed under the General Data Protection Regulation 2016/679 (GDPR) and Law 4624/2019 (Government Gazette, A’ 137). DPOs assist the controller in complying with the institutional framework for the protection of personal data. However, their opinion is not binding on the controller who has the obligation to take the necessary actions and measures so that that the processing of personal data is in line with the regulatory framework and demonstrate such compliance (accountability). When performing their tasks Data Protection Officers enjoy autonomy and independence, which is not compatible with supporting the lawfulness of the processing of personal data by the controller and may create a conflict of interests with their role as the controller’s representative.
The Authority therefore informs the controllers that they are not allowed to be represented by the Data Protection Officer before the Authority. It should be clarified that Data Protection Officers are allowed to be present only if they wish to attend the Authority’s meetings.
For more information on DPOs, see “Guidelines for Controllers” ð “Data Protection Officer (DPO)” section on the DPA website www.dpa.gr, as well as the Guidelines on Data Protection Officers ('DPOs') of the Article 29 Working Party (WP. 243 rev. 01 of 05 April 2017).