GDPR Data Protection Officer Requirements

Article 37(1) mandates the designation of a Data Protection Officer in three circumstances. First, where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (Article 37(1)(a)). The GDPR does not define 'public authority or body,' leaving this to national law — but the EDPB recommends a broad interpretation that includes entities performing public functions or exercising public authority.

Second, where the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale (Article 37(1)(b)). 'Core activities' refers to key operations necessary to achieve the controller's or processor's objectives — not ancillary functions like HR or IT support. 'Regular and systematic monitoring' includes all forms of tracking and profiling on the internet, including for behavioural advertising, but is not limited to online activities. It covers loyalty programmes, CCTV surveillance, connected devices, and any processing involving ongoing observation of individuals.

Third, where the core activities consist of processing on a large scale of special categories of data pursuant to Article 9, or of personal data relating to criminal convictions and offences referred to in Article 10 (Article 37(1)(c)). The EDPB recommends considering factors such as the number of data subjects (as a number or proportion of the relevant population), the volume and range of data items, the duration or permanence of processing, and the geographical extent of processing when determining 'large scale.'

Even where not mandatory, the EDPB strongly recommends voluntary appointment of a DPO as a matter of best practice. Where an organisation voluntarily appoints a DPO, all the GDPR requirements regarding the DPO's designation, position, and tasks apply as if the appointment were mandatory.

Article 37(5) requires that the DPO be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil the tasks referred to in Article 39. The required level of expertise is not strictly defined but must be commensurate with the sensitivity, complexity, and volume of data processing carried out by the organisation.

The DPO may be a staff member of the controller or processor, or may fulfil the tasks on the basis of a service contract — meaning external DPO appointments are explicitly permitted (Article 37(6)). A group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment (Article 37(2)). Similarly, where the controller or processor is a public authority or body, a single DPO may be designated for several such authorities or bodies, taking into account their organisational structure and size (Article 37(3)).

The EDPB has provided guidance on the skills profile expected of a DPO: expertise in national and European data protection laws and practices, understanding of the GDPR and other relevant legislation (such as the ePrivacy Directive), knowledge of the processing operations carried out by the organisation, understanding of information technologies and data security, knowledge of the specific business sector and organisation, and the ability to promote a data protection culture within the organisation. Formal certifications (such as CIPP/E, CIPM, or national DPO certifications) are useful evidence of competence but are not a legal requirement under the GDPR.

The controller or processor must publish the contact details of the DPO and communicate them to the supervisory authority (Article 37(7)). The DPO need not be identified by name publicly — contact details (email address, phone number) are sufficient.

Article 38 establishes robust safeguards for the DPO's independence and effectiveness. The controller and processor must ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data (Article 38(1)). This requires proactive engagement — the DPO should be consulted on data protection impact assessments, new processing activities, breach responses, and policy development, not merely informed after decisions are made.

The controller and processor must support the DPO by providing resources necessary to carry out their tasks, including access to personal data and processing operations, and to maintain their expert knowledge (Article 38(2)). Resources include adequate time, budget for training and professional development, staff support where the volume of work requires it, access to legal and technical expertise, and appropriate standing within the organisational hierarchy.

The DPO must report directly to the highest management level of the controller or processor (Article 38(3)). The EDPB interprets this as requiring a direct reporting line — not necessarily that the DPO reports exclusively to the board, but that the DPO has direct access to top management without intermediaries who could filter or influence their advice.

Critically, Article 38(3) prohibits the controller or processor from giving the DPO any instructions regarding the exercise of their tasks. The DPO must not be dismissed or penalised for performing their duties. This independence protection is fundamental — a DPO who fears retaliation cannot effectively fulfil their advisory and monitoring role. Article 38(6) further provides that the DPO may fulfil other tasks and duties, but the controller or processor must ensure that any such tasks and duties do not result in a conflict of interest. Roles typically considered conflicting include CEO, COO, CFO, head of HR, head of IT, and head of marketing — any position where the person determines purposes and means of processing.

Article 39 defines the minimum tasks of the DPO. These are baseline obligations — the DPO may be assigned additional tasks and duties provided they do not create a conflict of interest.

The DPO must inform and advise the controller or processor and the employees who carry out processing of their obligations under the GDPR and other Union or member state data protection provisions (Article 39(1)(a)). This advisory function encompasses interpretation of legal requirements, guidance on implementation of technical and organisational measures, and recommendations on data protection policies and procedures.

The DPO must monitor compliance with the GDPR, other data protection provisions, and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and related audits (Article 39(1)(b)). The monitoring role does not mean the DPO is personally responsible for compliance — that responsibility remains with the controller under the accountability principle. The DPO monitors and advises; the controller decides and implements.

The DPO must provide advice where requested regarding data protection impact assessments and monitor their performance (Article 39(1)(c)). The DPO must cooperate with the supervisory authority (Article 39(1)(d)) and act as the contact point for the supervisory authority on issues relating to processing, including prior consultation under Article 36, and to consult, where appropriate, with regard to any other matter (Article 39(1)(e)).

In performing their tasks, the DPO must have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing (Article 39(2)). This risk-based approach allows the DPO to prioritise their activities — focusing attention on higher-risk processing operations while applying proportionate oversight to lower-risk activities.

The DPO serves as the primary interface between the organisation, the supervisory authority, and data subjects. Article 39(1)(e) designates the DPO as the contact point for the supervisory authority on issues relating to processing. This includes responding to supervisory authority inquiries, facilitating inspections and audits, channelling prior consultation requests under Article 36, and serving as the organisation's primary liaison during enforcement proceedings.

Article 38(4) provides that data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR. This makes the DPO the front-line contact for data subject access requests, complaints, rectification requests, erasure requests, and other rights-related communications. The DPO must be accessible and responsive — the EDPB recommends that contact details include at minimum a dedicated email address and postal address, and that organisations establish clear internal procedures for routing data subject inquiries to the DPO.

Article 37(7) requires the controller or processor to publish the contact details of the DPO — typically in the privacy notice and on the organisation's website — and to communicate them to the supervisory authority. Many national DPA registration or notification procedures include a field for DPO contact details. The DPO's accessibility is a key component of the transparency principle and supports the effective exercise of data subject rights.