Am I, as a Data Protection Officer (DPO) acting under the GDPR and the Personal Data Protection Act, required to submit an annual report on data protection activities to the data controller, as described in Article 47?

ANSWER

The duties imposed on a Data Protection Officer (DPO) by law are set out in Article 39 GDPR. This provision does not explicitly require a DPO to submit an annual report to the data controller.

However, such an obligation may arise from the service agreement or any other contract under which the DPO performs their duties.

A statutory obligation to prepare and submit reports applies to DPOs operating in entities that are subject to the provisions of the Polish Personal Data Protection Act (UODO/DODO). Under this legislation, Article 47(1) imposes an obligation on the DPO to prepare a report.

In all other cases, there is no statutory requirement to submit an annual report. Such an obligation may exist only if it has been agreed upon in the contract between the parties.