What is a Data Protection Officer (DPO)?
The data protection officer (DPO) is a privacy and data protection leadership role for organizations that process personal data.
Under Article 37 of the GDPR, data protection officers must be designated where processing of personal data is carried out by a public authority (except for courts), where core activities of the organizations consist of processing which require regular and systematic monitoring of data subjects on a large scale, or where core activities of the organization consist of processing on a large scale of special categories of data or personal data related to criminal convictions or offices.
A group of businesses may appoint a single data protection officer so long as the DPO is easily accessible to each.
DPOs must be appointed based on their professional qualities, expert knowledge of data protection law and practices.
Organizations must publish the contact details of their data protection officer and communicate them the supervisory authority. Data subjects may contact the DPO
A data protection officer is a key part of the privacy team of an organization. Controllers and processors must have the DPO involved in all issues related to the protection of personal data. Controllers and processors must support DPOs, cannot direct the actions of the DPO, cannot dismiss or penalize the DPO for performing DPO tasks. The DPO must directly report to the highest management level of the controller or processor, generally the board of directors.
Under Article 39 of the GDPR, the DPO has several tasks. DPOs needs to inform and advise controllers and processors and their employees who carry out processing on their data protection obligations, to monitor compliance with the GDPR, to advise on data protection impact assessments and monitor performance, to cooperate with supervisory authority, and act as a contact point for the supervisory authority.
Organizations need a data protection officer located in the country where the majority of their data processing occurs or where their operational headquarters are. For companies based outside of the EU much decision making might come from outside the EU, but the local DPO still needs to be involved in a meaningful way.
See Section 4, Articles 37, 38 and 39 of the GDPR related to the DPO