The appointment of a data protection officer (DPO) is mandatory for many companies. This article explains which tasks a data protection officer has within a company and which legally defined obligations are specifically required by the GDPR.
Information and Advice: This Is the Duty of the Data Protection Officer Under the GDPR
“The data protection officer shall inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other data protection provisions.” – Summary of Art. 39 para. 1 lit. a GDPR.
The data protection officer ensures that all departments and employees within the company are informed about data protection requirements. This includes regular training sessions and awareness-raising measures for employees, as well as close coordination with department and division managers to design work processes in a data protection-friendly manner.
Proactively, the data protection officer should be involved in the introduction of new processes (e.g., the implementation of new software) so that both implementation and use are carried out in a data protection-compliant manner.
Reactively, the data protection officer becomes active particularly in the event of data protection violations and raises employee awareness based on individual incidents.
The data protection officer is available to all departments – especially employees, management, and also the works council – for questions relating to data protection.
Supervisory Obligations of the Data Protection Officer Under the GDPR
“The DPO shall monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data.” – Summary of Art. 39 para. 1 lit. b GDPR.
Within the company, the DPO assumes a controlling function. They regularly review whether data protection requirements are being complied with. In doing so, they act independently and are not bound by instructions. Tools that support this monitoring include the creation of a record of processing activities or a concept for technical and organizational measures (TOMs).
Monitoring also includes ensuring that the rights of data subjects are upheld – particularly that requests from data subjects are answered correctly and within the statutory deadlines. In practice, this often leads to employees responsible for handling data subject requests being organizationally assigned directly to the data protection officer.
Data Protection Impact Assessment (DPIA): Advisory and Review Obligations of the Data Protection Officer
“He or she shall, where requested, advise as regards the data protection impact assessment and monitor its performance pursuant to Article 35.” – Summary of Art. 39 para. 1 lit. c GDPR.
For planned processing operations that pose a high risk to the rights and freedoms of data subjects, a data protection impact assessment (DPIA) must be carried out. The DPO provides support by:
- assessing the necessity of a DPIA,
- advising on the procedure and assessment criteria,
- providing guidance on risk mitigation, and
- supporting the documentation process.
Important: Responsibility for the DPIA remains with management. The DPO supports and reviews the process but does not make independent decisions.
Duty of Cooperation of the Data Protection Officer with the Supervisory Authority
“He or she shall cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing.” – Summary of Art. 39 lit. d, e GDPR.
The DPO also serves as the link to the data protection supervisory authority. They are the primary point of contact for authorities in the event of inquiries and support management in audits and information requests from the supervisory authority. In doing so, they also act as an intermediary between the company and the authority.
Open communication with the supervisory authority is often a key success factor when dealing with data protection audits or incidents.
Conclusion
The obligations of a data protection officer under the GDPR, as set out in Article 39 GDPR, show that the DPO is far more than a mere mandatory appointment. The DPO is an advisor, controller, mediator, and trainer – and thus a central figure for data protection compliance.
A well-positioned DPO not only helps to avoid fines, but also builds trust among customers, partners, and employees.
Final tip: Companies should provide the DPO with sufficient resources, independence, and access to all relevant information – only then can the role be fulfilled effectively.
Test // PRIMA free for 14 days now!
