This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 39 Link
1 39. Article 39 GDPR 39
2 39. Tasks of the data protection officer GDPR 39
3 39.1 1. The data protection officer shall have at least the following tasks: GDPR 39
4 39.1(a) (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; GDPR 39
5 39.1(b) (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; GDPR 39
6 39.1(c) (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; GDPR 39
7 39.1(d) (d) to cooperate with the supervisory authority; GDPR 39
8 39.1(e) (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. GDPR 39
9 39.2 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. GDPR 39
Item Reference Articles which affect Article 39 Link
Item Reference       GDPR Recitals which affect Article 39
35 Recital 97 (97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.
Item Reference       Related Guidance which affects Article 39
36 ICO guidance on Data Protection Officers Guidance
37 Article 29 Working Party Guidelines on Data protection officers Guidance
38 ICO guidance on Accountability principle Guidance
39 ICO guidance on Accountability and governance Guidance
Disclaimer - Copyright - Privacy policy