Navigation path

  • Print version
  • Decrease text
  • Increase text

Article 24 of Regulation 45/2001

Appointment and tasks of the Data Protection Officer

1. Each Community institution and Community body shall appoint at least one person as data protection officer. That person shall have the task of:

(a) ensuring that controllers and data subjects are informed of their rights and obligations pursuant to this Regulation;

(b) responding to requests from the European Data Protection Supervisor and, within the sphere of his or her competence, cooperating with the European Data Protection Supervisor at the latter's request or on his or her own initiative;

(c) ensuring in an independent manner the internal application of the provisions of this Regulation;

(d) keeping a register of the processing operations carried out by the controller, containing the items of information referred to in Article 25(2);

(e) notifying the European Data Protection Supervisor of the processing operations likely to present specific risks within the meaning of Article 27.

That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

2. The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in particular, his or her expert knowledge of data protection.

3. The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his or her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of this Regulation.

4. The Data Protection Officer shall be appointed for a term of between two and five years. He or she shall be eligible for reappointment up to a maximum total term of ten years. He or she may be dismissed from the post of Data Protection Officer by the Community institution or body which appointed him or her only with the consent of the European Data Protection Supervisor, if he or she no longer fulfils the conditions required for the performance of his or her duties.

5. After his or her appointment the Data Protection Officer shall be registered with the European Data Protection Supervisor by the institution or body which appointed him or her.

6. The Community institution or body which appointed the Data Protection Officer shall provide him or her with the staff and resources necessary to carry out his or her duties.

7. With respect to the performance of his or her duties, the Data Protection Officer may not receive any instructions.

8. Further implementing rules concerning the Data Protection Officer shall be adopted by each Community institution or body in accordance with the provisions in the Annex. The implementing rules shall in particular concern the tasks, duties and powers of the Data Protection Officer.

ANNEX

1. The Data Protection Officer may make recommendations for the practical improvement of data protection to the Community institution or body which appointed him or her and advise it and the controller concerned on matters concerning the application of data protection provisions. Furthermore he or she may, on his or her own initiative or at the request of the Community institution or body which appointed him or her, the controller, the Staff Committee concerned or any individual, investigate matters and occurrences directly relating to his or her tasks and which come to his or her notice, and report back to the person who commissioned the investigation or to the controller.

2. The Data Protection Officer may be consulted by the Community institution or body which appointed him or her, by the controller concerned, by the Staff Committee concerned and by any individual, without going through the official channels, on any matter concerning the interpretation or application of this Regulation.

3. No one shall suffer prejudice on account of a matter brought to the attention of the competent Data Protection Officer alleging that a breach of the provisions of this Regulation has taken place.

4. Every controller concerned shall be required to assist the Data Protection Officer in performing his or her duties and to give information in reply to questions. In performing his or her duties, the Data Protection Officer shall have access at all times to the data forming the subject-matter of processing operations and to all offices, data-processing installations and data carriers.

5. To the extent required, the Data Protection Officer shall be relieved of other activities. The Data Protection Officer and his or her staff, to whom Article 287 of the Treaty shall apply, shall be required not to divulge information or documents which they obtain in the course of their duties.