Skip main navigation

Data protection officers

Dr Bo Zhao discusses the designation of data protection officers under the GDPR.
University of Groningen's Data Protection Officer
© University of Groningen

A data protection officer (DPO) is an officer who monitors the application of and compliance with the GDPR within an organisation. The designation of a DPO is an important measure to ensure legal compliance and data protection.

Appointing a DPO is mandatory under certain conditions. Based on Article 37 a controller and processor need to designate a DPO if:

  • The processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
  • The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale;
  • The core activities consist of processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions and offences (Article 10).

A group of undertakings or several public authorities and bodies can also designate a single DPO: one DPO for multiple organisations. When a DPO is designated, the contact details have to be published and communicated to the supervisory authority.

The GDPR provides in detail the required qualifications, legal status, independence safeguards and functions of the DPO in Article 37. A DPO is appointed based on his/her professional qualities, expert knowledge of data protection law and practices and the ability to fulfill the tasks.

A DPO is involved in all issues relating to personal data protection, cannot be dismissed or penalised for performing his/her tasks, does not receive any instructions regarding exercising GDPR duties and is bound by secrecy or confidentiality. A DPO may fulfil other tasks and duties, if they do not result in a conflict of interests. Based on Article 39 a DPO has the following major tasks:

  • To inform and advise on GDPR and related obligations;
  • To monitor compliance with the GDPR and related obligations (including awareness raising and training);
  • To provide advice as regards data protection impact assessment and to monitor its performance;
  • To cooperate with the supervisory authority;
  • To act as the contact point for the supervisor authority.
© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education