University of Groningen's Data Protection Officer
University of Groningen's Data Protection Officer

Data protection officers

A data protection officer (DPO) is an officer who monitors the application of and compliance with the GDPR within an organisation. The designation of a DPO is an important measure to ensure legal compliance and data protection.

Appointing a DPO is mandatory under certain conditions. Based on Article 37 a controller and processor need to designate a DPO if:

  • The processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
  • The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale;
  • The core activities consist of processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions and offences (Article 10).

A group of undertakings or several public authorities and bodies can also designate a single DPO: one DPO for multiple organisations. When a DPO is designated, the contact details have to be published and communicated to the supervisory authority.

The GDPR provides in detail the required qualifications, legal status, independence safeguards and functions of the DPO in Article 37. A DPO is appointed based on his/her professional qualities, expert knowledge of data protection law and practices and the ability to fulfill the tasks.

A DPO is involved in all issues relating to personal data protection, cannot be dismissed or penalised for performing his/her tasks, does not receive any instructions regarding exercising GDPR duties and is bound by secrecy or confidentiality. A DPO may fulfil other tasks and duties, if they do not result in a conflict of interests. Based on Article 39 a DPO has the following major tasks:

  • To inform and advise on GDPR and related obligations;
  • To monitor compliance with the GDPR and related obligations (including awareness raising and training);
  • To provide advice as regards data protection impact assessment and to monitor its performance;
  • To cooperate with the supervisory authority;
  • To act as the contact point for the supervisor authority.

Share this article:

This article is from the free online course:

Understanding the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: