Module 10 · The data protection officer (DPO, Articles 37–39)
The DPO (formerly the Personal Data Protection Official) advises on and monitors compliance and must be an expert in data protection law and practices. Article 37 makes a DPO mandatory in three cases: a public authority; core activities involving regular and systematic monitoring on a large scale; or core activities involving large-scale processing of special-category data. Article 38 protects the DPO's independence - reporting to the highest management level, no instructions on how to do the job, no dismissal or penalty, no conflict of interest, and not personally liable.
| # | Mandatory DPO when... | Example |
|---|---|---|
| 1 | The controller is a public authority | A government department or local council |
| 2 | Core activities involve regular and systematic monitoring of data subjects on a large scale | Large-scale online tracking/profiling |
| 3 | Core activities involve large-scale processing of special-category (or criminal-conviction) data | A hospital's patient records |
- If uncertain, appoint one; Member State law may add further cases.
- WP29 examples: a hospital's patient records = core + large scale; an individual physician's patients = not large scale; all internet tracking/profiling = regular and systematic monitoring.
- Tasks: inform/advise the controller, processor and staff; monitor compliance; advise on and monitor DPIAs; be the contact point and cooperate with the SA; exercise professional secrecy.
The DPO reports to the highest management level; receives no instructions on how to perform tasks; cannot be dismissed or penalised for doing the job; must have no conflict of interest (not a role that determines purposes/means); is given resources and access; one DPO may serve a group if easily accessible from each establishment; and is not personally liable for the organisation's non-compliance.