Article 38

Position of the data protection officer

General Data Protection Regulation · UE 2016/679

Position of the data protection officer

1.   The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

2.   The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

3.   The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

4.   Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.

5.   The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

6.   The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the law of 1 August 2018 organising the CNPD and implementing the GDPR confirms the exclusive competence of the CNPD (never the APDL) to supervise the effectiveness of the DPO function. The CNPD focuses on the absence of conflicts of interests and on the direct reporting line to top management during its thematic inspections. The DPO notification to the CNPD must be kept up to date whenever the person or the reporting line changes.

Luxgap practice: keep a timestamped evidence file (committee minutes, org chart, DPO appointment letter confirming the absence of instructions) immediately available, because the CNPD requests it at the start of an inspection.