What does it mean under Article 38 GDPR that a DPO shall not be dismissed or penalized by the controller or processor for performing their tasks?

Q: What does it mean under Article 38 GDPR that a DPO shall not be dismissed or penalized by the controller or processor for performing their tasks?

ANSWER Article 38(3) GDPR states that the Data Protection Officer (DPO) shall not be dismissed or penalized by the controller or processor for performing their tasks. However, this does not mean that the DPO is immune from accountability. Legal commentators generally take the view that a DPO may not be penalized for the proper performance of their duties, meaning duties carried out correctly and in accordance with the GDPR. On the other hand, where the DPO fails to perform their duties, they may

ANSWER

Article 38(3) GDPR states that the Data Protection Officer (DPO) shall not be dismissed or penalized by the controller or processor for performing their tasks. However, this does not mean that the DPO is immune from accountability.

Legal commentators generally take the view that a DPO may not be penalized for the proper performance of their duties, meaning duties carried out correctly and in accordance with the GDPR. On the other hand, where the DPO fails to perform their duties, they may incur liability either under the provisions of the Labour Code (if employed under an employment contract) or under general civil liability rules (if providing services under a service agreement).

The following excerpt from a GDPR commentary (edited by Litwiński, 2021) addresses this issue:

"As noted in the literature regarding the second of the principles forming the guarantee of the DPO's independence, the wording of this safeguard may raise doubts because it suggests that no consequences may be imposed on the DPO for any actions constituting the performance of their tasks. However, such an interpretation does not appear to be correct, as it could lead to the DPO being free from accountability in cases of improper performance of their duties. Therefore, the phrase 'performing tasks' should be understood as performing them properly and in compliance with the law, whereas deficiencies, mistakes, or failure to take required actions should be treated as a failure to perform those tasks, which may result in the DPO being held liable (P. Fajgielski, General Data Protection Regulation, p. 432). As emphasized by E. Bielak-Jomaa, a controller or processor may terminate the employment contract of a person acting as a DPO if that person fails to perform the tasks specified in the employment contract, the document defining their duties, or the obligations undertaken under a civil law contract (E. Bielak-Jomaa, in: GDPR Commentary, p. 793)."

Show all

Previous Next

What does it mean under Article 38 GDPR that a DPO shall not be dismissed or penalized by the controller or processor for performing their tasks?

ANSWER

Read also:

12 March 2026

Jak wdrożyć UKSC / NIS2 - poradnik dla firm

12 March 2026

Jak wdrożyć KSC / NIS2 - poradnik dla firm

03 February 2026

Ocena skutków dla ochrony danych (DPIA) – praktyczny przewodnik + wzór formularza

Dr RODO - aplikacja do audytu i ryzyka

Diagnozuj zgodność i dbaj o odporność organizacji