The tennis association KNLTB accuses the Dutch Data Protection Authority (DPA) of not involving the Data Protection Officer (DPO) in the investigation into the sale of personal data of members to sponsors for advertising purposes.
The DPA rejects this accusation: “The DPA does cooperate with the DPO, but it must focus its supervisory activities on the controller who is the standard addressee of the GDPR. Although the DPO may request information from anyone in the performance of its duties, including the DPO, at the same time the DPO is not part of the (…) controller. ”
The AP will therefore always request information from the controller himself and not from the DPO. A clear position: although the DPO is an internal supervisor, it is not a “forward post” of the DPA.
The AP is aware that one could upset “the delicate balance” between the DPO and the controller if the DPO were questioned separately. The controller could then easily lose confidence in the DPO.
To prevent this, the Company Training Data pays a lot of attention to the position of the DPO. On the basis of practical cases, practical tips are given as a DPO to maintain a good balance in the relationship with the controller and with the DPA.