What about DPO liability? I have a minor personal data protection incident — according to the breach severity calculator, there is no obligation to notify the breach, and I passed that recommendation to the controller. As I understand it, he makes the final decision.
ANSWER
Externally — with regard to data subjects and PUODO — the data controller (not the DPO) is responsible for a personal data breach. The data controller therefore makes the final decision on whether a given breach must be reported to PUODO or not. The obligation to make the appropriate decision rests with the controller. Article 38(3) GDPR provides that the DPO shall not be dismissed or penalized by the controller or processor for performing their tasks. However, this does not mean that the DPO is immune from accountability.
Legal commentators generally take the view that a DPO may not be penalized for the proper performance of their duties, meaning duties carried out correctly and in accordance with the GDPR. On the other hand, where the DPO fails to perform their duties, they may incur liability either under the provisions of the Labour Code (if employed under an employment contract) or under general civil liability rules (if providing services under a service agreement).
The following excerpt from a GDPR commentary (edited by Litwiński, 2021) addresses this issue: "As noted in the literature regarding the second of the principles forming the guarantee of the DPO's independence, the wording of this safeguard may raise doubts because it suggests that no consequences may be imposed on the DPO for any actions constituting the performance of their tasks. However, such an interpretation does not appear to be correct, as it could lead to the DPO being free from accountability in cases of improper performance of their duties. Therefore, the phrase 'performing tasks' should be understood as performing them properly and in compliance with the law, whereas deficiencies, mistakes, or failure to take required actions should be treated as a failure to perform those tasks, which may result in the DPO being held liable (P. Fajgielski, General Data Protection Regulation, p. 432). As emphasized by E. Bielak-Jomaa, a controller or processor may terminate the employment contract of a person acting as a DPO if that person fails to perform the tasks specified in the employment contract, the document defining their duties, or the obligations undertaken under a civil law contract (E. Bielak-Jomaa, in: GDPR Commentary, p. 793)"
