Data Protection Officer

A Data Protection Officer (DPO) is a role required by the GDPR for certain organizations. Specifically, a DPO must be appointed when the organization is a public authority, when core activities involve large-scale systematic monitoring of individuals, or when core activities involve large-scale processing of sensitive data. The DPO serves as the primary point of contact for data protection authorities and data subjects, and must be given the resources and independence to perform their duties effectively.

The DPO’s responsibilities include advising the organization on data protection obligations, monitoring compliance with the GDPR and internal policies, providing guidance on Data Protection Impact Assessments, cooperating with the supervisory authority, and serving as a contact point for data subjects. Importantly, the DPO must report to the highest level of management, cannot be instructed on how to perform their tasks, and cannot be dismissed or penalized for performing their duties. The DPO can be an employee or an external service provider, and one DPO can serve a group of companies if they are reasonably accessible from each entity.