Can the DPO's work be audited?
Can the actions taken by the DPO in connection with the performance of his or her tasks be subject to control by the controller directly or through entities to which he or she outsources such control, such as internal or external auditors? In entities of the public finance sector, can the auditor make recommendations to the DPO on the grounds of internal audit regulations?
The independence of the DPO, as referred to in Recital 97 of the GDPR and Article 38 of the GDPR, is one of the most important guarantees for the effective and proper performance of his or her tasks, and thus for the real assurance of compliance of the processing of personal data with the law.
At the same time, it is the controller who bears full liability for data processing in accordance with data protection regulations. The DPO reports directly to the controller and, as such, the manner in which the DPO performs his or her functions must be subject to the controller's audit, which may be internal or outsourced by the controller to an external entity. In either case, such control (audit) must take into account the independent functioning (guarantees of independence) of the DPO, so clearly emphasised in the GDPR. This also applies to the internal control systems (compliance assessment systems) implemented in the organisation. These systems must not limit in any way the ability of the DPO to perform his or her tasks, including making a comprehensive, ongoing assessment of the compliance of personal data processing with the law.
The controllers that are entities of the public finance sector, in order to ensure lawful processing of personal data and proper organisation of information security, use the assistance of both auditors and DPOs. The internal auditor performs a systematic assessment of management control, covering all areas of the entity, including the activities undertaken by the DPO. The manner in which the internal audit is carried out is defined by law (including, among others, in the Regulation of the Minister of Finance of 4 September 2015 on internal audit and information on the work and results of the audit), but it must take into account the provisions of the GDPR, including, among others, Article 38(3) of the GDPR.
When the audit (inspection) concerns the work of the DPO, respecting the independent performance of his or her tasks means prohibiting the officers from giving the DPO any direct orders/recommendations regarding these tasks. The final decisions on the evaluation of the results of the audit on the proper performance of the DPO's duties are made by the head of the entity, and the inspector must be given the opportunity to present his or her position. The rationale of both parties should be justified and documented. This material may be useful for evidentiary purposes in cases of assessing the accuracy of the performance of the DPO's functions in the context of his or her liability under labour law or the Civil Code (contractual liability) or criminal liability.