In June 2024, the Finnish Office of the Data Protection Ombudsman updated its guidelines for the organisations that have designated a data protection officer. The update is based on a report published by the European Data Protection Board on the role of data protection officers, according to which many data protection officers continue to face challenges in their duties. The updated guidelines highlight, among other things, the independent position and resource needs of the data protection officer. 

The data protection officer is an in-house specialist who provides information and advice on data protection responsibilities to the organisation’s management and employees, and monitors compliance with data protection legislation throughout the organisation. According to the EU General Data Protection Regulation (the GDPR), the controller and the processor shall designate a data protection officer for example when it processes sensitive personal data on a large scale, or when its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale. The data protection officer may also be designated on a voluntary basis when not required to do so by the GDPR. In this case, the requirements of the GDPR are applied in the same way as when designation is mandatory. 

The controller and the processor shall ensure that the data protection officer is involved in the handling of all issues concerning the protection of personal data within the organisation, in order for the data protection officer to be able to address any deficiencies in the processing of personal data that they may find. The data protection officer must be given sufficient resources to carry out their duties, i.e. sufficient working time, tools and the opportunity to develop their competence through training, for instance. The data protection officer must have the opportunity to report directly to the top management of the organisation. Furthermore, the opinion of the data protection officer must always be given the appropriate weight. If the data protection officer’s advice is not followed in a specific case, it is recommended to document the grounds on which the advice was not followed. 

The data protection officer acts as the contact person for both the national Office of the Data Protection Ombudsman and the data subjects in matters related to the processing of personal data. The contact details of the data protection officer must be easily accessible, for example, on the organisation’s website. Data subjects may contact the data protection officer on any matter related to the processing of their personal data and the exercise of their rights under the GDPR within the organisation. It is recommended that the organisation also appoints a deputy data protection officer so that, for example, any possible data breaches and other matters concerning the rights of the data subjects are dealt without delay in the absence of the data protection officer. 

The data protection officer shall be independent in their role and shall have no conflicts of interest with their duties as a data protection officer. The data protection officer shall not be instructed in the performance of their duties, nor shall they be dismissed or punished for the performance of their duties. The data protection officer is not personally responsible for infringements of the GDPR, since compliance with data protection regulations is the responsibility of the controller or the processor.