DPO & DPR

Among repeatedly explained, yet poorly understood obligations, the appointment of a Data Protection Officer (DPO) and a Data Protection Representative (DPR) regularly hit the top of our clients’ frequently asked questions. Indeed, appointment of either or both DPO and DPR is still not systematically complied with none of them being invented by GDPR.
The old, poorly implemented directive 95/46/EC, refers to the data protection official, a DPO ancestor and mandates data controller not established in the Union to name a representative. So, why with none of these notions coming out of the blue, DPO and DPR remain such a mystery?
Let’s try to dissipate at least some bits of the mist and hopefully dispel some misconceptions.

Though DPO and DPR may look somehow alike, these two notions present significant differences and are not to be confused.
Essentially, DPO is a facilitator paving the way towards GDPR implementation by its controllers/processors (from within and outside EEA) while keeping its independence and cooperating with data protection authorities.
While DPR, acts upon non-EEA controller’s/processor’s instructions and will be contacted by data protection authorities instead of or together with controllers/processors for the purposes of ensuring compliance with regulation.
MyData-TRUST made a full side-by-side comparison covering 24 elements which enable to properly differentiate both notions.