Article 39 lists the main (but not all) tasks that fall under the remit of the Data Protection Officer (DPO). Among them, there are three main functions (although DPO competences are not necessarily limited to them):

1. Consulting (39.1a, c),
2. Control / monitoring (39.1b),
3. Relationship with the supervising authorities (39.1d, e).

1. The consulting function means that the DPO provides information and explanations about the GDPR and its compliance to the controller and processor as well as to the employees of the controller and processor who are involved in the processing of personal data. In particular the role of DPO is important in the context of Data Protection Impact Assessment (DPIA), because DPO advises and monitors its implementation according to Article 35 of the GDPR. WP29 recommends that the controller seeks the advice of the DPO, e.g. on the following issues:

• whether or not to conduct a DPIA;
• what methodology to follow when conducting DPIAs;
• whether to conduct or outsource the DPIA;
• what safeguards (including technical and organizational measures) should be applied to mitigate any risks;
• risks to the rights and interests of personal data subjects;
• whether the data protection impact assessment has been conducted correctly and whether its findings are compliant with the GDPR (whether to continue processing and what safeguards should be applied).

2. As far as the monitoring function of DPO is concerned, it means monitoring compliance with data protection legislation and internal regulations on personal data protection, as well as raising awareness of data protection issues, training of personnel and internal audit. As part of these compliance monitoring responsibilities, DPOs may do the following, among other things:

• collect information to identify the processing activities of personal data;
• analyze and verify the compliance of these activities;
• informing, advising and making recommendations to the controller or processor on specific processes etc.

It is important to note that the presence of a monitoring function does not mean that DPO is personally responsible in cases of non-compliance. It is clearly stated in the GDPR that it is the controller who must “take appropriate technical and organizational measures to ensure and demonstrate that the processing is performed in accordance with these regulations” (Article 24(1)). Compliance with data protection requirements is the corporate responsibility of the data controller, not DPO.

3. In addition, DPO also cooperates with the supervisory authority and is the first contact person for them and for persons whose data are processed. For example, the DPO acts as a point of contact to facilitate the supervisory authority’s access to documents and information for the performance of the tasks referred to in Article 57 as well as for the performance of its investigative, corrective, authorizing and consulting powers referred to in Article 58. As it is known from Article 38, DPO shall observe professional secrecy in the performance of its duties. However, the duty of secrecy/confidentiality does not prohibit DPO from contacting the supervisory authority and seeking advice from them.

According to the recommendations of the supervisory authorities, in performing its tasks, DPO shall take into account the risks (risk-based approach) associated with processing of personal data, i.e. the nature, scope, context and purpose of processing. The Data Protection Officer should prioritize and focus on more risky activities, e.g. when special categories of data are processed (health, racial or ethnic data, etc. in accordance with Article 9) or when potential impact on individuals may be harmful. And already based on risk assessments, DPO should provide advice to your organization.

If you decide not to follow the advice given by your DPO, you should document your reasons so that you can always demonstrate your accountability.

The GDPR says that a controller or processor can assign additional tasks and responsibilities to DPO unless they lead to a conflict of interest with the main tasks.

For example, in practice DPOs often compile and keep the record of the processing activities (according to article 30), although according to the GDPR it is the controller or processor and not the DPO who is obliged “to keep a record of the processing activities under their responsibility”. However, nothing prevents this task from being assigned to DPO.

ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 39 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).

The organization should appoint one or more persons responsible for developing, implementing, maintaining and monitoring an organization-wide governance and privacy program, to ensure compliance with all applicable laws and regulations regarding the processing of PII.

The responsible person should, where appropriate:

— be independent and report directly to the appropriate management level of the organization in order to ensure effective management of privacy risks;

— be involved in the management of all issues which relate to the processing of PII;

— be expert in data protection legislation, regulation and practice;

— act as a contact point for supervisory authorities;

— inform top-level management and employees of the organization of their obligations with respect to the processing of PII;

— provide advice in respect of privacy impact assessments conducted by the organization.

NOTE Such a person is called a data protection officer in some jurisdictions, which define when such a position is required, along with their position and role. This position can be fulfilled by a staff member or outsourced.