Data protection officers

A data protection officer is an expert within the organisation, who monitors the processing of personal data and provides advice on compliance with data protection regulations.

The data protection officer

  • monitors compliance with data protection rules across the organisation and highlights any deficiencies
  • provides management and the employees that process personal data with information and advice on their duties specified in the data protection rules
  • gives advice on carrying out the data protection impact assessment and monitors its implementation
  • serves as the contact person for data subjects in matters related to the processing of personal data and
  • is the point of contact with the Office of the Data Protection Ombudsman and cooperates with the Office.

Instructions for organisations that have designated a data protection officer

1. The data protection officer must be provided with sufficient time, tools and competencies for performing his or her duties. The data protection officer should also be given the opportunity to seek training.

2. The data protection officer or his or her team shall be involved in the handling of all questions related to data protection at the earliest stage possible.

3. The data protection officer should always be present when decisions affecting data protection are made. All relevant information shall be delivered to the data protection officer immediately so that he or she can give appropriate advice.

4. The data protection officer must have the possibility to report directly to the management. The data protection officer shall be regularly invited to high- and mid-level meetings.

5. The opinion of the data protection officer shall be given the appropriate weight. In case of a difference of opinion, the grounds on which the advice of the data protection officer was not followed should be documented.

6. The data protection officer shall be consulted as soon as possible on any personal data breaches or other issues concerning data protection.

7. Compliance with data protection regulations is the responsibility of the controller or processor. Data protection officers are not personally responsible for infringements of the General Data Protection Regulation.

Read more:

Designation of the data protection officer
GDPR: Articles 37‒39, recital 97
Guidelines on Data Protection Officers