Airteagal 39 RGCS (GDPR). Cúraimí an oifigigh cosanta sonraí
Article 39 GDPR. Tasks of the data protection officer
1. Beidh na cúraimí seo a leanas ar a laghad ag an oifigeach cosanta sonraí:
1. The data protection officer shall have at least the following tasks:
(a) fógra a thabhairt don rialaitheoir nó don phróiseálaí agus do na fostaithe a dhéanann an phróiseáil, agus comhairle a chur orthu siúd chomh maith, faoi na hoibleagáidí atá orthu de bhun an Rialacháin seo agus de bhun dlí eile de chuid an Aontais um chosaint sonraí nó de bhun fhorálacha eile Ballstáit um chosaint sonraí;
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
Where the word “employee” is used in this Opinion, WP29 does not intend to restrict the scope of this term merely to persons with an employment contract recognized as such under applicable labour laws. Over the past decades, new business models served by different types of labour relationships, and in particular employment on a freelance basis, have become more commonplace. This Opinion is intended to cover all situations where there is an employment relationship, regardless of whether this relationship is based on an employment contract.
(b) faireachán a dhéanamh ar chomhlíonadh an Rialacháin seo, ar chomhlíonadh dlí eile de chuid an Aontais um chosaint sonraí nó ar chomhlíonadh fhorálacha eile Ballstáit um chosaint sonraí, agus ar chomhlíonadh bheartais an rialaitheora nó an phróiseálaí maidir le cosaint sonraí pearsanta, lena n- freagrachtaí a shannadh, cur leis an bhfeasacht agus oiliúint a chur ar chomhaltaí foirne atá bainteach le hoibríochtaí próiseála, agus maidir leis na hiniúchtaí gaolmhara;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
As part of these duties to monitor compliance, DPOs may, in particular:
• collect information to identify processing activities
• analyse and check the compliance of processing activities
• inform, advise and issue recommendations to the controller or the processor.
Monitoring of compliance does not mean that it is the DPO who is personally responsible where there is an instance of non-compliance. The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO.
(c) comhairle a thabhairt nuair a iarrtar sin air maidir leis an measúnú tionchair ar chosaint sonraí agus faireachán a dhéanamh ar a fheidhmíocht de bhun Airteagal 33;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
4.2. Role of the DPO in a data protection impact assessment
The WP29 recommends that the controller should seek the advice of the DPO, on the following issues, amongst others :
 Article 39(1) mentions the tasks of the DPO and indicates that the DPO shall have ‘at least’ the following tasks. Therefore, nothing prevents the controller from assigning the DPO other tasks than those explicitly mentioned in Article 39(1), or specifying those tasks in more detail.
• whether or not to carry out a DPIA
• what methodology to follow when carrying out a DPIA
• whether to carry out the DPIA in-house or whether to outsource it
• what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
• whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR.
If the controller disagrees with the advice provided by the DPO, the DPIA documentation should specifically justify in writing why the advice has not been taken into account .
(d) comhoibriú leis an údarás maoirseachta; agus
(d) to cooperate with the supervisory authority;
(e) gníomhú mar an pointe teagmhála don údarás maoirseachta i dtaobh saincheisteanna a bhaineann leis an bpróiseáil, lena n-áirítear an réamhchomhairliúchán dá dtagraítear in Airteagal 36, agus dul i gcomhairle, i gcás inarb iomchuí, maidir le haon ábhar eile.
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. Agus a chúraimí nó a cúraimí á ndéanamh ag an oifigeach cosanta sonraí, tabharfaidh sé nó sí aird chuí ar na rioscaí a bhaineann le hoibríochtaí próiseála, agus cineál, raon feidhme, comhthéacs agus críocha na próiseála á gcur san áireamh.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
220.127.116.11 «nature, scope, context and purpose of processing»
28. In short, the concept of nature can be understood as the inherent characteristics of the processing. The scope refers to the size and range of the processing. The context relates to the circumstances of the processing, which may influence the expectations of the data subject, while the purpose pertains to the aims of the processing.
 Examples are special categories personal data, automatic decision-making, skewed power relations, unpredictable processing, difficulties for the data subject to exercise the rights, etc.
An Rialachán Ginearálta maidir le Cosaint Sonraí (RGCS, GDPR)
General Data Protection Regulation (EU GDPR)
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.