Home » What is the difference between the Data Protection Representative and the Data Protection Officer?

If the conditions listed above apply, the company MUST appoint a DPR, unless the exceptions of article 27 (2) of the GDPR apply. The exceptions are the following:

1) the entity is a public body; or
2) the processing is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) of the GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

The Data Protection Officer (DPO) assists companies in complying with the GDPR (e.g., by providing advice regarding all matters related to the GDPR, including Data Protection Impact Assessments (DPIAs)).

DPRs do not directly assist companies with their GDPR compliance. Instead, they serve as a mandatory point of contact for companies that are not established in the EU or UK. They are appointed so they can be reached by:

1. individuals in the EU or UK who wish to exercise their rights under the GDPR, such as requesting a copy of their personal data or asking for it to be deleted
2. data protection authorities in the EU or UK, for example when they have questions about how the company processes the personal data of individuals in their jurisdiction, often following a complaint, or when they request access to the company’s Record of Processing Activities (RoPA) – a document which must be held by the DPR

These two obligations are not substitutable – a company cannot choose one or the other if the company falls under the requisites/criteria to appoint both.

Furthermore, the European Data Protection Board, has previously confirmed in its Guidelines on the territorial scope of the GDPR that the DPO and DPR roles are incompatible:

(…)The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of [his or her] tasks’. Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction (…)”

Still not sure if you need to appoint a representative? Feel free to take our assessment test here, to fill out our registration form here or to simply send us an email to info@edpo.com.