Home / Data Protection Officer / Profile of the DPO


The DPO is a professional whose tasks are set out in article 39 of Regulation (EU) 679/2016, and who is responsible for applying legislation on privacy and data protection.

The data protection officer will perform at least the following tasks:

a) Inform and advise the controller or the processor and the employees who process data of the obligations incumbent upon them under the Regulation and other data protection provisions in the European Union or Member States.

b) Supervise compliance with the provisions of the Regulation and other data protection provisions in the European Union or Member States and with the policies of the controller or processor in relation to the protection of personal data.

c) Supervise the assignment of responsibilities.

d) Supervise awareness raising and training of personnel who participate in processing operations.

e) Supervise the corresponding audits.

f) Offer advice requested regarding data protection impact assessments.

g) Supervise their application in accordance with article 35 of the Regulation.

h) Cooperate with the supervisory authority

i) Act as the contact point for the supervisory authority for issues regarding data processing, including the prior consultation referenced in article 36 of the Regulation.

j) Consult with the supervisory authority, as appropriate, on any matter.

The data protection officer will carry out their functions by paying due attention to the risks associated with data processing operations, and keeping in mind the nature, scope, context, and purposes of data processing.

To do so, he/she must be able to:

a) a. collect information to identify processing activities,

b) b. analyse and check the compliance of processing activities and,

c) c. inform, advise, and issue recommendations to the controller or the processor.

d) d. collect information to supervise the register of processing operations.

e) provide advice on the application of the principle of data protection by design and by default.

f) Advise on

  • whether a data protection impact assessment should be carried out or not
  • what methodology should be followed when carrying out a data protection impact assessment
  • whether a data protection impact assessment should be carried out in-house or outsource it
  • what safeguards (including technical and organisational measures) to apply in order to mitigate any risk to the rights and interests of the data subjects
  • whether or not the data protection impact assessment has been carried out correctly
  • • if its conclusions (whether to continue with the processing or not and what safeguards should be applied) are in compliance with the Regulation

g) g. prioritise their activities and focus their efforts on those issues which pose a greater risk in terms of data protection.

h) advise the data controller on:

  • which methodology should be used when carrying out a data protection impact assessment,
  • which areas should be subject to an internal or external data protection audit,
  • which internal training activities to provide to personnel or the managers responsible for data processing activities and to which processing operations the most time and resources should be dedicated.