Skip main navigation

Data protection officers

Dr Bo Zhao discusses the designation of data protection officers under the GDPR.
University of Groningen's Data Protection Officer

A data protection officer (DPO) is an officer who monitors the application of and compliance with the GDPR within an organisation. The designation of a DPO is an important measure to ensure legal compliance and data protection.

Appointing a DPO is mandatory under certain conditions. Based on Article 37 a controller and processor need to designate a DPO if:

  • The processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
  • The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale;
  • The core activities consist of processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions and offences (Article 10).

A group of undertakings or several public authorities and bodies can also designate a single DPO: one DPO for multiple organisations. When a DPO is designated, the contact details have to be published and communicated to the supervisory authority.

The GDPR provides in detail the required qualifications, legal status, independence safeguards and functions of the DPO in Article 37. A DPO is appointed based on his/her professional qualities, expert knowledge of data protection law and practices and the ability to fulfill the tasks.

A DPO is involved in all issues relating to personal data protection, cannot be dismissed or penalised for performing his/her tasks, does not receive any instructions regarding exercising GDPR duties and is bound by secrecy or confidentiality. A DPO may fulfil other tasks and duties, if they do not result in a conflict of interests. Based on Article 39 a DPO has the following major tasks:

  • To inform and advise on GDPR and related obligations;
  • To monitor compliance with the GDPR and related obligations (including awareness raising and training);
  • To provide advice as regards data protection impact assessment and to monitor its performance;
  • To cooperate with the supervisory authority;
  • To act as the contact point for the supervisor authority.
© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now