Article 38.03

1The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. 2He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. 3The data protection officer shall directly report to the highest management level of the controller or the processor.