Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data Protection Officer (DPO).

In this article, you will find answers to questions like who is a DPO, which companies need to appoint one and what are the DPO-s responsibilities.

Data Protection Officer by definition 

The UK’s independent authority gives a great definition of who a DPO is: 

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.”

Wikipedia goes even deeper and specifies that: 

“The DPO ensures, in an independent manner, that an organization applies the laws protecting individuals’ personal data. The designation, position, and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the EU General Data Protection Regulation (GDPR).”

To put into human language the DPO is a person in your company whose responsibility is to make sure that the company is GDPR compliant. 

Important to know: 

The DPO must have the autonomy and independence to perform his functions. Therefore, it has to be decided whether DPO’s functions can be assigned to an existing employee or to an external specialist.

If the DPO position is appointed to an existing employee, he or she is allowed to keep another position within the company but only to the extent that it does not result in a conflict of interest.

This means that the DPO cannot be involved in deciding which personal data must be processed. Thus, the DPO could not be the director of the company, head of operations,  finance, human resources, marketing, IT or legal departments.

Appointing a DPO 

As described in, there are three conditions when you are obliged to appoint a DPO:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. processing operations require regular and systematic monitoring of data subjects on a large scale;
  3. a large scale of special category data and/or personal data relating to criminal convictions and offenses are being processed.

In order for you to determine whether or not to appoint a DPO, you should assess whether it meets the specified conditions. This assessment could be an integral part of an internal data protection audit. The assessment should be a documented conclusion that could also be made available to the supervisory authority if necessary.

Important to know:

Companies which do not fulfill any of the mentioned conditions are not required to appoint Data Protection Officer.

In other words, a DPO is not required to be appointed if:

  • personal information is not processed at all or is processed on a small scale.
  • the main activities of the company rarely involve monitoring data subjects.

DPO’s role and responsibilities 

Since DPO is taking the role of an intermediary between the company and Data Protection Authority, he/she must be easily accessible for the company’s management, employees, the supervisory authorities and data subjects.

If a single DPO role is appointed for the group of companies, then each subsidiary should have equally easy access to the DPO. Therefore, DPO’s contact details must be mentioned in the Privacy Policy and provided to the authorities.

Data Protection Officer must be involved in all issues related to the protection of personal data. GDPR Article 39 has specified the primary tasks of a DPO. In short, these are the tasks:

  1. to inform and advise the controller or the processor and the employees who carry out the processing of their obligations;
  2. to monitor compliance with GDPR and local data protection provisions.  Also, compliance with the internal policies, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
  3. to provide advice regarding the data protection impact assessment (DPIA) and to monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, regarding any other matter.

When performing tasks, DPO must be aware of the risk associated with processing operations. Also, DPO must consider the nature, scope, context, and purposes of the processing.

DPO should prioritize and focus on riskier activities. For example, in situations where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organization.

If the company decides not to follow the advice given by the DPO, the reasons must be documented in order to demonstrate accountability.


The GDPR Data Protection Officer is a key figure in the updated data management system. Not only does he/she help to comply with the requirements, but he also acts as an intermediary in the relationship between the company, the supervisory authority and the data subject.

Therefore, the Data Protection Officer must be appointed with careful consideration of all the operations within the company.

However, even though the role and tasks of a DPO are crucial to the company, it is important to know that the DPO is not personally liable for data protection compliance. It remains the company’s responsibility to comply with the GDPR.

If the company decides not to appoint a DPO when it’s required, it might cause non-compliance and the company might face GDPR fines that can go up to 20 mln EUR or 4% of global turnover.

More on this topic: 
Records of processing activities in GDPR Article 30
What are the GDPR fines for non-compliance?

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and...
GDPR checklist for controllers

GDPR checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2020

GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data