DPO (Data Protection Officer)

A DPO (Data Protection Officer) advises your organisation on data protection and serves as the contact point for the supervisory authority. The GDPR requires certain organisations to appoint a DPO, but the role can also be voluntary and is often a good idea even when not legally required.

Back to Dictionary

What is a DPO?

A Data Protection Officer (DPO) is a person designated under Articles 37–39 of the GDPR to advise the organisation on its data protection obligations. The DPO has three core functions: advising on compliance with data protection legislation, monitoring that the organisation follows its own policies and the law, and serving as the contact point for the supervisory authority and data subjects.

The DPO role was introduced by the GDPR to ensure that organisations have an internal expert who can provide independent guidance on data protection matters. The DPO does not bear personal liability for non-compliance; that responsibility remains with the data controller or processor.

When must you appoint a DPO?

Under Article 37 of the GDPR, the appointment of a DPO is mandatory in three situations:

Public authorities and bodies: Any organisation that is a public authority or body (except courts acting in their judicial capacity) must appoint a DPO.
Large-scale systematic monitoring: Organisations whose core activities require regular and systematic monitoring of data subjects on a large scale must appoint a DPO. Examples include behavioural advertising networks and fraud-prevention services.
Large-scale processing of special categories: Organisations whose core activities involve large-scale processing of special categories of data (e.g. health data, biometric data) or data relating to criminal convictions must appoint a DPO.

Even where not mandatory, many organisations choose to appoint a DPO voluntarily as part of their broader GDPR compliance strategy. If you do appoint a DPO voluntarily, the full requirements of Articles 37–39 apply.

Internal or external DPO

The DPO can be an employee of the organisation (internal DPO) or an external service provider (external DPO). Both options are expressly permitted by the GDPR. An internal DPO must be able to combine the role with other duties, provided there is no conflict of interest. An external DPO is engaged under a service contract and often serves multiple organisations.

Internal DPO: Better knowledge of the organisation's processes, but risk of conflicts of interest if the DPO also holds a management or IT role.
External DPO: Greater independence and often broader experience across multiple organisations, but may require more time to understand the specific context.

The DPO's independence

The GDPR places strict requirements on the DPO's independence. The organisation must not instruct the DPO on how to carry out their tasks, must not dismiss or penalise the DPO for performing their duties, and must ensure the DPO reports directly to the highest level of management. The DPO must also be provided with the resources necessary to carry out their tasks and maintain their expert knowledge.

Notification to the supervisory authority: Under Article 37(7) of the GDPR, the organisation must communicate the DPO's contact details to the supervisory authority. In Denmark, this is done through Datatilsynet's online notification form. Failure to notify is itself a compliance shortcoming.

Frequently Asked Questions about DPO (Data Protection Officer)

What is a DPO?

A DPO (Data Protection Officer) is a person designated under the GDPR to advise the organisation on data protection, monitor compliance and serve as the contact point for the supervisory authority and data subjects.

When is a DPO mandatory under the GDPR?

A DPO is mandatory for public authorities, for organisations whose core activities require large-scale systematic monitoring of data subjects, and for organisations that process special categories of data on a large scale.

Can a DPO be external?

Yes. The GDPR expressly permits both internal and external DPOs. An external DPO is engaged under a service contract and can serve multiple organisations, provided they are accessible to each.

What are the DPO's main responsibilities?

The DPO advises on data protection obligations, monitors compliance with the GDPR and the organisation's own policies, cooperates with the supervisory authority, and serves as the contact point for data subjects and the authority.

Must the DPO be notified to the supervisory authority?

Yes. Under Article 37(7) of the GDPR, the organisation must communicate the DPO's contact details to the supervisory authority. In Denmark, this is done via Datatilsynet's online notification form.