The Data Protection Officer is one of the most misunderstood roles created by the GDPR. Many organisations appoint a DPO expecting that person to handle all compliance work. That is incorrect. The GDPR assigns the DPO a specific function: independent oversight of the organisation’s data protection practices. The controller, not the DPO, bears legal responsibility for compliance.
This distinction has practical consequences. The EDPB’s 2023 coordinated enforcement action on DPO designation and position collected over 17,000 responses from organisations and DPOs across 25 EEA jurisdictions. The resulting January 2024 report identified seven areas of concern, ranging from missing designations to insufficient resources and independence failures. Organisations that confuse the DPO’s advisory role with operational compliance responsibility risk both regulatory sanctions and ineffective data protection programmes.
What Is the Role of a Data Protection Officer?
The DPO’s role is defined in Articles 37-39 of the GDPR. Article 37 specifies when designation is mandatory. Article 38 establishes the DPO’s position within the organisation, including independence guarantees. Article 39 lists the DPO’s minimum tasks. For guidance on when a DPO must be appointed, see our DPO designation guide. This article focuses on what the DPO does once appointed.
The structural origin of the role explains its design. Under the predecessor Directive 95/46/EC, organisations could avoid prior notification to the supervisory authority by appointing an independent “Data Protection Official” who verified compliance internally. The GDPR inherited this model. The DPO functions as an internal counterpart to the supervisory authority: observing, advising, and reporting, but not executing compliance work.
What Tasks Does Article 39 Assign to the DPO?
Article 39(1) lists five mandatory tasks. First, the DPO must inform and advise the controller or processor and their employees about their obligations under the GDPR and other applicable data protection laws. Second, the DPO must monitor compliance, including staff awareness, training, and related audits. Third, the DPO must provide advice on Data Protection Impact Assessments and monitor their execution under Article 35.
Fourth, the DPO must cooperate with the supervisory authority. Fifth, the DPO must act as the contact point for the supervisory authority on all matters related to processing, including prior consultation under Article 36.
Article 39(2) adds that the DPO must perform these tasks with due regard to the risk associated with processing operations. This means the DPO should prioritise high-risk activities such as large-scale processing, automated decision-making, and cross-border transfers. In practice, the DPO also typically assists with maintaining the records of processing activities, though this is not explicitly listed in Article 39.
Independence Requirements Under Article 38
Article 38 establishes four core protections for DPO independence. The controller must not give the DPO instructions regarding the exercise of their tasks (Article 38(3)). The DPO cannot be dismissed or penalised for performing their duties. The DPO must report directly to the highest management level. Data subjects must be able to contact the DPO directly regarding their data protection concerns.
These protections exist because the DPO must be able to assess and report on the organisation’s compliance without fear of retaliation. If a DPO identifies a violation, they must be free to report it to management and, if necessary, to the supervisory authority. The Polish supervisory authority imposed a EUR 132,000 fine in 2025 on a financial institution partly for improper DPO positioning, demonstrating that independence requirements carry enforcement consequences.
Article 38(6) permits the DPO to hold other tasks and duties within the organisation, provided they do not create a conflict of interest. The EDPB’s 2024 report flagged this as a recurring problem: DPOs who simultaneously serve as head of IT, head of legal, or chief compliance officer may face conflicts between their oversight role and their operational responsibilities.
DPO Qualifications and Practical Challenges
Article 37(5) requires that the DPO be designated on the basis of professional qualities, in particular expert knowledge of data protection law and practices. The GDPR does not mandate a specific certification, degree, or minimum years of experience. The required level of expertise depends on the complexity of the organisation’s processing activities.
What Qualifications Does a DPO Need?
Article 37(5) does not mandate a specific certification or degree. The EDPB’s Guidelines on DPOs (WP 243 rev.01) state that the necessary expertise should match the complexity of the organisation’s processing. A company conducting large-scale health data processing needs deeper legal and technical knowledge than a small business handling only employee contact data.
With the EU AI Act’s high-risk obligations applying from August 2, 2026, DPOs will increasingly need expertise in AI governance, as they will be expected to advise on the data protection implications of high-risk AI systems and coordinate with the AI compliance officers that deployers must designate under Article 26. Effective DPOs combine legal knowledge of the GDPR with technical understanding of IT systems and data flows. The DPO may be a staff member or an external service provider under a service contract (Article 37(6)). A group of undertakings may designate a single DPO, provided that DPO is easily accessible from each establishment (Article 37(2)). For more on internal versus external models, see our article on DPO tasks.
What Did the EDPB Find in Its 2024 Enforcement Report?
The EDPB’s coordinated enforcement report, published in January 2024, examined DPO designation and positioning across 25 EEA jurisdictions. Over 17,000 responses from organisations and DPOs were analysed. The report identified seven areas requiring improvement.
First, some organisations required to appoint a DPO under Article 37 had failed to do so. The Polish DPA fined the District Building Control Inspector in Czestochowa EUR 5,814 specifically for failing to designate a DPO as required by law. Second, many DPOs reported insufficient resources, including inadequate budgets, limited access to training, and understaffing. The report noted that DPO workloads often exceed one person’s capacity, making a supporting team necessary.
Third, DPOs reported insufficient opportunities for continuing professional development. Fourth, some DPOs were not fully entrusted with all tasks required by Article 39, with organisations limiting their involvement in DPIAs or breach response. Fifth, conflicts of interest arose when DPOs held operational roles that required them to determine processing purposes, such as head of IT or head of HR. Sixth, some DPOs lacked direct reporting lines to the highest management level, contrary to Article 38(3). Seventh, the report called for more guidance from supervisory authorities on DPO-related obligations.
The DPO’s Position Within the Organisation
The DPO occupies a unique position: embedded within the organisation but independent from its management hierarchy for the purposes of their data protection tasks. This structural arrangement requires clear organisational positioning and management support.
Reporting Lines and Management Access
Article 38(3) requires the DPO to report directly to the highest management level, typically the board of directors, the CEO, or equivalent senior leadership. This reporting line serves two functions: it ensures that data protection concerns reach decision-makers, and it protects the DPO from intermediate management interference.
The controller must involve the DPO in all issues relating to the protection of personal data, properly and in a timely manner (Article 38(1)). This means consulting the DPO before new processing activities begin, during system procurement, when data breaches occur, and when data subject complaints are received. In March 2026, the EDPB launched its coordinated enforcement action for 2026 focusing on transparency and information obligations under Articles 12-14 of the GDPR, with 25 DPAs across Europe set to audit controllers’ compliance – making the DPO’s advisory role on privacy notices and information practices especially critical this year.
Resources and Confidentiality Obligations
The controller must provide the resources necessary to carry out the DPO’s tasks, including budget for training, access to IT systems, and sufficient time (Article 38(2)). The DPO is bound by confidentiality (Article 38(5)) and should maintain records of their advice and assessments. Compliance platforms such as Legiscope can assist DPOs in documenting activities and tracking organisational responses.
Legal disclaimer: This article provides general information about the DPO role under the GDPR. It does not constitute legal advice. Organisations should consult qualified legal counsel when designating a DPO or defining the scope of the role.
Conclusion
The DPO is an independent oversight function, not a compliance execution role. Article 39 assigns five specific tasks centred on advising, monitoring, and liaising with the supervisory authority. The EDPB’s 2024 enforcement report, drawing on over 17,000 responses across 25 jurisdictions, confirmed that many organisations still struggle with DPO resourcing, independence, and proper positioning. With supervisory authorities now issuing fines for DPO-related failures, including a EUR 132,000 penalty for improper DPO positioning in Poland, organisations must ensure their DPO has the independence, resources, and management access that Articles 37-39 require.
Last reviewed: March 2026
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
