Art. 38 GDPR defines the position of the Data Protection Officer within an organisation. It is not about what a DPO does (that is Art. 39) or when a DPO must be designated (Art. 37). Art. 38 is about how the DPO must be positioned: involved in all data protection issues, given adequate resources, free from instructions, protected from dismissal, and reporting directly to the highest management level. These are not aspirational guidelines — they are enforceable obligations that DPAs have begun sanctioning.
Key Takeaways
- Art. 38(1) GDPR requires the DPO to be involved, properly and in a timely manner, in all issues relating to the protection of personal data.
- Art. 38(3) prohibits giving the DPO instructions on the exercise of their tasks and protects them from dismissal or penalty for performing their role.
- The DPO must report directly to the highest management level — CEO, board, or equivalent — not to middle management.
- Art. 38(6) allows the DPO to hold other roles, but the controller must ensure no conflict of interests — CTO, Head of Marketing, and HR Director are typically incompatible.
- The Polish DPA fined a financial institution EUR 132,000 in 2025 partly for improper DPO positioning.
Art. 38(1): Mandatory Involvement in All Data Protection Issues
Art. 38(1) states: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
This is an active obligation on the organisation, not a passive right of the DPO. The EDPB’s Guidelines on DPOs (WP 243, revised) clarify that “timely involvement” means the DPO must be consulted:
- Before new processing activities are launched — not after they are already running
- During the design phase of new systems that process personal data (linking to privacy by design under Art. 25)
- When data breaches occur — the DPO should be part of the incident response team
- Before responding to supervisory authority enquiries
- During DPIA processes under Art. 35 — the DPO’s advice must be sought (Art. 35(2))
Practical example: A retail company launches a new customer loyalty programme that tracks purchase history and location data. Art. 38(1) requires consulting the DPO before the programme design is finalised — not presenting the finished system for rubber-stamping. If the DPO identifies that a DPIA is required (Art. 35), the programme cannot launch until the assessment is completed.
Common failure: The DPO learns about new processing activities from employees or press releases rather than through a formal consultation process. This is an Art. 38(1) violation, regardless of whether the processing itself is lawful.
Art. 38(2): Adequate Resources and Expert Knowledge
Art. 38(2) states: “The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.”
This covers three distinct requirements:
Resources to Perform DPO Tasks
The organisation must provide sufficient budget, staff, and tools. For a large organisation, a single DPO without a team or compliance software cannot effectively monitor processing across hundreds of activities. The EDPB’s guidelines specify that resources must be proportionate to the sensitivity and volume of data processed.
Resources include:
- Staff support — dedicated team members for large organisations
- Compliance tools — software for managing Art. 30 records, DPIAs, and data subject requests
- Budget for external legal advice on complex data protection questions
- Time — the DPO must be given sufficient time to perform their tasks, not buried under unrelated work
Access to Data and Processing Operations
The DPO must have access to:
- All processing activities and their documentation
- IT systems that process personal data
- Data breach records and incident reports
- Art. 28 data processing agreements with processors
- Results of security audits and vulnerability assessments
An organisation that restricts the DPO’s access to certain systems or departments violates Art. 38(2).
Maintaining Expert Knowledge
The DPO must be given opportunities to stay current: training, conferences, legal updates, and professional development. The IAPP’s 2026 Governance Report found that a significant proportion of DPOs cite inadequate training budgets as a barrier to effective performance.
Art. 38(3): No Instructions and Dismissal Protection
Art. 38(3) is the independence guarantee: “The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”
This paragraph contains three separate obligations:
No Instructions on DPO Tasks
The DPO cannot be told what conclusions to reach, which recommendations to make, or whether to escalate an issue. Management can set the DPO’s work priorities, but cannot instruct the DPO to approve a processing activity, dismiss a data subject complaint, or refrain from reporting a breach.
Practical example: A CEO asks the DPO to “find a way to make this processing lawful” rather than asking for an independent assessment. This crosses the line — the DPO must be free to conclude that the processing is unlawful if the analysis supports that conclusion.
Dismissal and Penalty Protection
The DPO cannot be dismissed or penalised — demotion, denial of promotion, reassignment of duties — for performing their DPO tasks. This protection applies even when the DPO’s findings are unwelcome.
The EDPB clarifies that dismissal for reasons unrelated to DPO tasks (e.g., gross misconduct, redundancy) remains permissible. But the burden of proving that the dismissal is unrelated to DPO activities falls on the employer.
Case law: In 2023, the Belgian DPA found that an organisation had effectively penalised its DPO by reducing their responsibilities and excluding them from management meetings after the DPO raised concerns about a marketing campaign. The DPA ordered corrective measures and noted that such treatment constitutes an Art. 38(3) violation.
Direct Reporting to Highest Management
The DPO must report directly to the CEO, board of directors, or equivalent — not to the General Counsel, CIO, or Head of Compliance. This reporting line ensures that data protection matters reach decision-makers without being filtered or downplayed by intermediate management.
Practical implementation: The DPO should have a standing agenda item at board meetings (at least quarterly), direct access to the CEO for urgent matters, and a formal reporting channel that bypasses department heads. For guidance on when DPO designation is mandatory and how to formalise the appointment, see our dedicated guide.
Art. 38(4): Contact Point for Data Subjects
Art. 38(4) states that data subjects may contact the DPO “with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.”
The DPO must be accessible — typically through a published email address in the privacy notice and in the organisation’s registration with the supervisory authority. The DPO handles enquiries about processing practices and coordinates responses to data subject access requests, erasure requests, and portability requests.
Response timelines under Art. 12(3) are strict: one month from receipt, extendable by two months for complex requests. The DPO must coordinate with relevant departments to meet these deadlines.
Art. 38(5): Confidentiality Obligation
The DPO is bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Union or Member State law. This means information obtained through DPO functions — including details of data breaches, internal compliance weaknesses, or data subject complaints — cannot be disclosed except as required by law or to the supervisory authority.
Art. 38(6): Other Tasks and Conflict of Interests
Art. 38(6) permits the DPO to hold other roles within the organisation, provided those roles do not create a conflict of interests. A conflict arises when the DPO holds a position that requires determining processing purposes or means — because the DPO would then be monitoring their own decisions.
Roles typically incompatible with the DPO function:
| Role | Why It Conflicts |
|---|---|
| CTO / CIO | Determines technical means of processing |
| Head of Marketing | Determines purposes and means of marketing data processing |
| HR Director | Determines purposes of employee data processing |
| Head of Legal / General Counsel | May create conflicting advisory obligations |
| CEO / Managing Director | Determines all processing purposes |
Roles that may be compatible (depending on scope): Compliance officer (if not determining processing purposes — see our comparison of DPO vs compliance officer), quality manager, internal auditor (with careful scoping).
The Belgian DPA fined Proximus EUR 50,000 in 2020 for appointing a DPO who also headed the compliance, risk management, and audit department — a combination the DPA found inherently conflicted.
Enforcement: DPO Positioning Violations
Polish DPA (2025) — Fined a financial institution EUR 132,000 for multiple GDPR violations, including improper DPO positioning that compromised the officer’s ability to effectively oversee data processing and processor relationships.
Belgian DPA v Proximus (2020) — EUR 50,000 fine for conflict of interests in DPO appointment. The DPO simultaneously headed compliance, risk, and audit functions, creating a situation where the DPO was effectively monitoring their own work.
German LfDI cases — Several German state DPAs have issued warnings to organisations where the DPO reported to the IT department rather than to the board, finding this an Art. 38(3) violation of the direct reporting requirement.
Full Text of Article 38
Article 38 — Position of the data protection officer
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
FAQ
What independence protections does a DPO have under GDPR?
Art. 38(3) provides three protections: (1) the DPO cannot receive instructions regarding the exercise of their tasks, (2) the DPO cannot be dismissed or penalised for performing their role, and (3) the DPO must report directly to the highest management level. These protections apply regardless of whether the DPO is an employee or an external service provider.
Can a DPO hold other roles within the organisation?
Yes, Art. 38(6) permits this, provided no conflict of interest exists. The DPO cannot hold a position that requires determining processing purposes or means. Roles like CTO, Head of Marketing, HR Director, and CEO are typically incompatible. The Belgian DPA fined Proximus EUR 50,000 for appointing a DPO who also headed compliance, risk, and audit.
Must the DPO report directly to the CEO or board?
Art. 38(3) requires the DPO to “directly report to the highest management level of the controller or the processor.” This means the CEO, board of directors, or equivalent governing body — not middle management, the General Counsel, or the CIO. German DPAs have issued warnings for violations of this requirement.
Can an external (outsourced) DPO fulfil the Art. 38 requirements?
Yes. Art. 37(6) explicitly permits designating a DPO on the basis of a service contract. External DPOs are common for SMEs. The same independence, non-conflict, accessibility, and direct reporting requirements under Art. 38 apply regardless of employment status. For details on the tasks the DPO must perform, see our dedicated guide.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope