The Data Protection Officer (DPO)

The Data Protection Officer under the GDPR

Articles 37 to 39 of the GDPR define when a Data Protection Officer (DPO) must be appointed, what their duties are, and what position they hold within the organisation. The DPO serves as the central point of contact for data protection matters, both internally and towards supervisory authorities and data subjects.

When Is a DPO Mandatory? (Art. 37)

Under the GDPR, a DPO must be designated in the following cases:

• Public authorities: Processing is carried out by a public authority or body (except courts acting in their judicial capacity).
• Large-scale monitoring: Core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
• Special categories of data: Core activities consist of processing special categories of data (Art. 9) or data relating to criminal convictions (Art. 10) on a large scale.

Additionally, EU member states may set further requirements. In Germany, Section 38 BDSG lowers the threshold significantly: a DPO is mandatory when at least 20 persons are regularly engaged in automated processing of personal data. This means many small and medium-sized enterprises in Germany must also appoint a DPO. Some other member states have similar national provisions.

Internal vs. External DPO

Organisations can choose between appointing an internal employee or engaging an external DPO. Both options have advantages and disadvantages:

Important: Regardless of whether internal or external, the DPO must possess the professional qualities and expert knowledge required by Art. 37(5). This includes knowledge of data protection law, IT security, and the specific industry in which the organisation operates.

Duties of the DPO (Art. 39)

The DPO's duties as defined in Article 39 include:

• Informing and advising: Advising the controller, processor, and employees on their data protection obligations.
• Monitoring compliance: Overseeing compliance with the GDPR, other data protection laws, and the organisation's data protection policies.
• Training: Awareness-raising and training of staff involved in processing operations.
• DPIA advice: Providing advice on Data Protection Impact Assessments (see DPIA guide) and monitoring their performance.
• Cooperating with the supervisory authority: Acting as the contact point for the supervisory authority on issues relating to processing.

Position and Independence (Art. 38)

The GDPR sets strict requirements for the DPO's position within the organisation:

• The DPO must be involved in all data protection matters properly and in a timely manner.
• The organisation must provide the DPO with the resources necessary to carry out their tasks, including access to personal data and processing operations.
• The DPO must not receive instructions regarding the exercise of their tasks. They report directly to the highest management level.
• The DPO must not be dismissed or penalised for performing their duties.
• The DPO may fulfil other tasks and duties, but the organisation must ensure these do not result in a conflict of interest. Roles such as CEO, CTO, head of HR, or head of IT are generally incompatible.

Liability Considerations

It is important to understand that the DPO is not personally liable for GDPR compliance. The responsibility for compliance lies with the controller or processor. However, in egregious cases of negligence, an internal DPO could face employment law consequences. External DPOs may face contractual liability under the terms of their service agreement.

For more on potential consequences of non-compliance, see our GDPR Fines and Penalties page.