When signing a service contract for the provision of DPO services with a given entity, do we not sign a data processing agreement? Should an authorisation be issued for the DPO, or does the DPO act on the basis of the rights and obligations arising from the GDPR?

ANSWER

The data controller should conclude a service contract with an external DPO. According to the position adopted by the Polish DPA (https://uodo.gov.pl/pl/495/2412), a data processing agreement is not concluded with an external DPO. The DPO acts on the basis of the contract concluded. The service contract should contain the tasks set out in Article 39(1) GDPR, which should be carried out subject to the conditions laid down in the provisions of that Regulation, in a manner that guarantees the DPO's independence. The controller and the processor are among others obliged to ensure that the DPO does not receive instructions concerning the performance of their tasks. For this reason, concluding a data processing agreement is not appropriate.