Data Protection Officer DPO
Stands for: Data Protection Officer
The independent advisor a controller or processor must appoint under GDPR Article 37 in defined circumstances, responsible for monitoring data-protection compliance.
Definition
The **Data Protection Officer (DPO)** is a statutory role under Articles 37 to 39 of the GDPR. The controller or processor must designate a DPO when the processing is carried out by a public authority, when the core activities require regular and systematic monitoring of data subjects on a large scale, or when the core activities involve large-scale processing of special-category data under Article 9 or data on criminal convictions under Article 10.\n\nThe DPO's tasks under Article 39 include informing and advising the organisation, monitoring GDPR compliance, advising on Data Protection Impact Assessments, cooperating with the supervisory authority, and acting as the contact point for data subjects. The role must be independent: the DPO reports to the highest level of management, cannot be dismissed or penalised for performing their duties, and cannot hold a conflicting role such as head of marketing or head of HR.\n\nA DPO can be an employee or an external service provider, and a group of undertakings can share a single DPO if they remain easily accessible from each establishment. Some non-EU jurisdictions have adopted equivalent or analogous roles: the UK GDPR mirrors Articles 37-39, and Brazil's LGPD requires an encarregado.
When you'll encounter it
You will encounter DPO obligations when designing the privacy programme of any organisation processing health data, biometrics, behavioural advertising data at scale, employee monitoring data, or operating as a public authority. The DPO's contact details must be published, typically in the privacy notice, and notified to the supervisory authority.
Used in our guides
FAQ
Is a DPO mandatory for every company?
No. GDPR Article 37 specifies three triggers (public authority, large-scale systematic monitoring, large-scale special-category processing). Outside those triggers, designation is voluntary but if voluntary the same Articles 38 and 39 protections and tasks apply to the appointed person.
Can the DPO also be the CEO or CISO?
No, not without a conflict of interest under Article 38(6). The EDPB Guidelines on DPOs prohibit roles that determine the purposes and means of processing, such as CEO, COO, head of marketing, head of HR, or head of IT, from being combined with the DPO function.
Does the DPO have personal liability?
No. Liability for GDPR violations sits with the controller or processor, not the DPO. The DPO's role is advisory and monitoring; it does not assume the obligations of the data controller. The supervisory authority cannot fine the DPO directly for the organisation's failures.
References
- GDPR Articles 37-39, Regulation (EU) 2016/679 https://eur-lex.europa.eu/eli/reg/2016/679/oj
- EDPB Guidelines on Data Protection Officers (WP243 rev.01) https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-data-protection-officers-dpos_en
- ICO guidance on DPOs https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/