Under the European Union’s General Data Protection Regulation (GDPR), corporations are obligated to appoint DPOs – Data Protection Officers. These officers are, amongst other things, obligated to counsel their organization about GDPR regulatory best practices, and monitor internal compliance with GDPR rules. Importantly, they also function as contact points between data subjects and supervisory authorities.
Undeniably, one of the issues that the GDPR seeks to resolve or minimize, is the high rate of data breach incidents in Europe and businesses outside Europe controlling data of European citizens. Considering the pivotal positions that DPOs hold in the data protection regime therefore, there have been questions about their personal liability in the event of data breaches.
Unfortunately, nothing in the GDPR rules suggests the intention that DPOs would have personal liability for specific circumstances such as data breaches. This is why Art. 29 Working Party’s Guidelines on Data Protection Officers, vest all liability for data compliance failings –including data breaches- on data controllers or processors. It matters not what grand level of autonomy and powers have been vested in the DPO.
However, this is not to say that DPOs would not be personally liable for some other general acts. Like any other employee, DPOs remain personally liable for non-compliance with contracts, general employment/labour, criminal, or civil rules, as contained in the domestic laws of EU member states.
Impliedly, a Data Protection Officer can be penalised, punished, or held liable for matters related to his employment role –such as abdication or dereliction of duties– and other matters unrelated to his role –including commission of crimes such as theft, harassment, etc.