Data Protection Officer (DPO) — A Comprehensive Guide to the DPO Role Under GDPR

The Data Protection Officer (DPO), known in Polish as Inspektor Ochrony Danych (IOD), is a key figure in the data protection framework established by the GDPR. For many organisations, appointing a DPO is a legal obligation — but even where it is not required, a competent DPO can significantly improve the effectiveness of the entire data protection system and substantially reduce the risk of breaches.

This guide explains who the DPO is, when appointment is mandatory, what tasks and powers the DPO has, how the role should function within the organisational structure, and when outsourcing may be the best option.

Who Is a Data Protection Officer?

The DPO is a person designated by the data controller or data processor to serve as an internal expert on personal data protection. The role is regulated by Articles 37–39 of the GDPR and is advisory and supervisory in nature — the DPO does not make decisions about how data is processed, but informs, advises, and monitors compliance with the regulations.

It is important to emphasise that the DPO does not bear personal liability for the organisation’s GDPR compliance — that responsibility lies with the data controller. The DPO is responsible for diligently performing their tasks, but it is the controller who is the addressee of any fines or orders from the supervisory authority.

When Is DPO Appointment Mandatory?

Article 37(1) of the GDPR requires the appointment of a DPO in three cases:

1. Public authority or body — with the exception of courts acting in their judicial capacity. This includes, among others, municipal offices, ministries, public hospitals, public schools, universities, and municipal companies.

2. Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. Examples: insurance companies, banks, telecommunications operators, online platform operators, companies running loyalty programmes, marketing agencies using profiling.

3. Core activities consist of processing on a large scale of special categories of data or data relating to criminal convictions and offences. Examples: hospitals, medical clinics, medical laboratories, companies processing biometric data, organisations providing criminal law advisory services.

In practice, the concepts of “core activities,” “large scale,” and “regular and systematic monitoring” raise interpretative questions. The Article 29 Working Party (now the EDPB) in Guidelines WP 243 clarified these concepts, indicating, among other things, that “large scale” refers to the number of data subjects, the range of data, the duration of processing, and the geographical scope.

Even where DPO appointment is not mandatory, the GDPR encourages organisations to designate one. Additionally, national sectoral legislation may extend the obligation — it is always worth checking whether your organisation is subject to such requirements.

Who Can Be a DPO? Qualification Requirements

The GDPR does not require the DPO to hold any specific degree, certificate, or professional title. Article 37(5) states that the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil their tasks.

In practice, this means the DPO should possess knowledge of data protection law (GDPR, national data protection legislation, sector-specific regulations), practical experience in implementing and monitoring GDPR compliance, a basic understanding of IT processes and information security, and the ability to communicate effectively with various departments (IT, HR, marketing, management).

Certifications such as CIPP/E (Certified Information Privacy Professional/Europe) issued by the IAPP or certifications related to ISO 27001 are not legally required but serve as evidence of competence and are increasingly expected by organisations.

DPO Tasks (Article 39 GDPR)

Article 39 of the GDPR defines the DPO’s minimum set of tasks:

Informing and advising — the DPO informs the controller, processor, and employees about their obligations under the GDPR and other data protection laws. In practice, this includes reviewing new projects and processes from a data protection perspective, advising on documentation, and consulting on incidents and enquiries.

Monitoring compliance — the DPO monitors compliance with the GDPR, other data protection provisions, and the controller’s internal policies, including the assignment of responsibilities, staff training, and audits. The DPO does not implement data protection measures (that is the controller’s task) but verifies whether they have been properly implemented.

Advising on DPIA — the DPO provides advice on Data Protection Impact Assessments (DPIA) and monitors their execution (Article 35 GDPR). The controller is obliged to consult the DPO when carrying out a DPIA.

Cooperation with the supervisory authority — the DPO acts as the contact point for the supervisory authority (UODO in Poland). In the event of an audit, investigation, or inquiry by the authority, the DPO is the first person UODO contacts.

Contact point for data subjects — the DPO is available to data subjects in matters relating to the processing of their data and the exercise of their rights (Article 38(4) GDPR).

The task catalogue in Article 39 is a minimum — the controller may assign additional tasks to the DPO, provided they do not lead to a conflict of interest.

DPO Independence — The Foundation of Effective Data Protection

One of the most important aspects of the DPO role is independence, guaranteed by Article 38 of the GDPR. The regulation provides several safeguards:

No instructions — the controller may not give the DPO instructions regarding the performance of their tasks (Article 38(3)). The DPO independently decides how to fulfil their duties — what issues to prioritise, what audits to conduct, and what recommendations to issue.

No penalties — the DPO may not be dismissed or penalised for performing their tasks (Article 38(3)). If the DPO issues a recommendation that the management dislikes, they cannot be terminated or demoted for it.

Direct access to senior management — the DPO reports directly to the highest management level of the controller (Article 38(3)). This means the DPO should be able to report directly to the board of directors, supervisory board, or CEO — without intermediaries who could filter or block their communications.

Adequate resources — the controller must provide the DPO with the resources necessary to perform their tasks and access to personal data and processing operations (Article 38(2)). This includes sufficient time (the DPO must not be overburdened with other duties to the point of being unable to fulfil their role), a budget for training and tools, access to IT systems and documentation, and support from other departments.

Conflict of Interest — What to Watch Out For

Article 38(6) of the GDPR allows the DPO to perform other tasks and duties within the organisation, but the controller must ensure that these do not result in a conflict of interest.

In practice, a conflict of interest arises when the DPO simultaneously determines the purposes and means of data processing. The EDPB in Guidelines WP 243 indicated that the DPO role should not be combined with positions such as: CEO, CFO, CTO/CIO, Head of HR, Head of Marketing, or Head of Legal (if they decide on processing activities).

European supervisory authorities have imposed fines for DPO conflicts of interest — for instance, the Belgian supervisory authority fined a company where the DPO simultaneously headed the compliance department responsible for data processing.

Internal vs. External DPO — Which Model to Choose?

The GDPR permits two models for the DPO function:

Internal DPO (employee of the organisation):

Advantages: permanent presence in the organisation, deep knowledge of internal processes, easier access to information, building a data protection culture from within.

Challenges: risk of conflict of interest (if the DPO also performs other functions), difficulty in ensuring independence (pressure from superiors), fixed costs (salary, training, tools), need for continuous professional development.

External DPO (outsourced DPO):

Advantages: full independence from the organisational structure (no risk of conflict of interest or internal pressure), access to a broad team of experts (lawyers, IT specialists, auditors), up-to-date knowledge (an external DPO serves multiple clients and stays current with market practice, case law, and supervisory authority decisions), cost flexibility (you pay for the actual scope of service, without the fixed costs of an employee).

Challenges: less physical presence in the organisation (addressed through regular visits and permanent remote availability), need for thorough onboarding (familiarisation with the company’s processes).

For whom is DPO outsourcing the best solution? Primarily for small and medium-sized companies that lack the resources for a full-time DPO, organisations that want to avoid conflicts of interest, companies that need a DPO with broad competencies (law, IT, audit), and public entities with limited budgets.

Registering the DPO with UODO

The controller is obliged to notify UODO of the DPO appointment within 14 days of the designation date (Article 10 of the Polish Act of 10 May 2018 on the Protection of Personal Data). The notification is submitted electronically via the UODO website (DPO Database).

The notification must include: the DPO’s full name, email address, phone number, date of appointment, and the controller’s details (name, address, REGON number).

The same obligation applies to the removal of the DPO or a change of contact details — the controller has 14 days to report changes.

Additionally, the controller must publish the DPO’s contact details (publishing the full name is not required — an email address and phone number are sufficient) and make them available to data subjects in privacy notices.

The DPO During a UODO Audit

In the event of an audit by UODO, the DPO plays a crucial role. Under Article 38(4) of the GDPR, the DPO is the contact point for the supervisory authority — UODO will first approach the DPO with questions, requests for clarification, or audit notifications.

In practice, the DPO should be prepared for a UODO audit, which means having up-to-date data protection documentation (ROPA, policies, procedures, DPIAs), a breach register, documentation of data subject rights fulfilment, evidence of training and audits conducted, and data processing agreements.

A well-prepared DPO can significantly facilitate the audit process and minimise the risk of fines.

Common Mistakes Related to the DPO

Based on audit practice and supervisory authority decisions, the most common organisational mistakes regarding the DPO include:

Failing to appoint a DPO despite the obligation — often resulting from an incorrect assessment that the organisation is not subject to the requirement under Article 37.

Appointing a DPO without adequate qualifications — designating a person with no knowledge of the GDPR, e.g., an IT employee without legal training.

Conflict of interest — assigning the DPO function to a person who simultaneously determines the purposes and means of data processing.

Failing to ensure independence — giving the DPO instructions, restricting access to information, or penalising them for inconvenient recommendations.

Inadequate resources — overburdening the DPO with other duties to the point where they cannot effectively perform their function.

Failing to register the DPO with UODO — omitting the notification obligation or failing to update the data.

Treating the DPO as a “rubber stamp” — formally appointing a DPO without actually involving them in decision-making processes.

Summary — The DPO Role in Brief

The DPO is not a formality or an unnecessary cost — it is a strategic element of the data protection system. A well-functioning DPO reduces the risk of breaches, facilitates cooperation with the supervisory authority, builds a data protection culture within the organisation, and protects the controller from fines.

The key is to ensure the DPO has the right qualifications, independence, and resources — regardless of whether they are an employee or an external expert.

Need a DPO for Your Organisation?

At the Law Office of Dr Joanna Maniszewska-Ejsmont, we provide outsourced Data Protection Officer (DPO) services for companies and public institutions. We ensure full independence, ongoing legal support, compliance monitoring, and readiness for UODO audits.