News

Business & Finance

Tech

About us

Who is the DPO, what does he do and what is his purpose?

Money.it

22 March 2025 - 14:30

condividi
Facebook
twitter
linkedin
whatsapp

The DPO, guardian of privacy, ensures transparency and compliance with the GDPR. We analyze his duties, skills and the mandatory nature of the appointment according to the European Regulation.

Who is the DPO, what does he do and what is his purpose?

January 28, 2025 was National Data Protection Day and the focus is on the role of the Data Protection Officer (DPO). A role introduced by the GDPR – European Data Protection Supervisor. The DPO supports the Data Controller or the Data Processor in fulfilling the obligations arising from the European Privacy Regulation.

Recently, the European Data Protection Board (EDPB) highlighted that, despite progress, many DPOs still face difficulties related to independence and lack of adequate resources. At the same time, in Brazil, the National Data Protection Authority (ANPD) is investigating companies that do not comply with the obligation to appoint a DPO, demonstrating how this role is increasingly recognized globally.

But who exactly is the DPO and what role does he or she play within organizations?

Who is the DPO?

The Data Protection Officer is a figure introduced by Regulation (EU) 2016/679 (GDPR) to ensure that organizations process personal data in compliance with current regulations.

The DPO monitors compliance with the GDPR within the entity, acting as a point of contact between the organization, the interested parties and the supervisory authority. His role, defined by art. 39 of the GDPR, goes well beyond a simple administrative function: he acts as a supervisor and consultant.

For example:

“A hospital that manages thousands of digital medical records must appoint a DPO to ensure that sensitive patient health data is processed in accordance with the GDPR. The DPO is responsible for ensuring that only authorised personnel access such information, that IT systems are protected from intrusion and that any security breaches are immediately reported to the Data Protection Authority.”

This professional also advises the hospital on how to conduct a Data Protection Impact Assessment (DPIA) for the introduction of new technologies, such as an advanced telemedicine system, thus ensuring that patient privacy is protected.

Tasks of the DPO: what does he/she do and what is his/her purpose?

The main task of the DPO is to verify that the policies and procedures adopted by the organization comply with European and national data protection regulations. This includes:

  • monitoring compliance with the provisions of the GDPR;
  • ensuring that the processing of personal data is legitimate, transparent and limited to the declared purposes, in line with the principles established by art. 5 of the GDPR.

Consultancy and operational support
The DPO is an internal consultant who assists the data controller and processor in interpreting and applying the regulations. For example:

  • assesses the impact of processing on the rights and freedoms of data subjects, guiding organizations in carrying out the Data Protection Impact Assessments (DPIA) required by art. 35 of the GDPR;
  • provides training and awareness-raising to employees to ensure they understand their responsibilities in processing personal data.

Interlocutor with the Guarantor and data subjects
The Data Protection Officer acts as a point of contact with the supervisory authority, the Guarantor for the Protection of Personal Data, and data subjects. In the event of personal data breaches (data breach), the DPO:

  • supports the organization in managing notifications to the Guarantor, required by art. 33 of the GDPR, and any communications to the interested parties, provided for by art. 34;
  • collaborates with the Guarantor during any investigations or inspections.

Audit and internal control
Another fundamental task is to carry out periodic internal checks to identify any risks of non-compliance. This includes:

  • analysis of the procedures for collecting, storing and using personal data;
  • verification of the technical and organizational security measures implemented pursuant to Article 32 of the GDPR.

Risk Management
The DPO does not simply react to problems, but adopts a preventive approach, identifying vulnerabilities in processing systems and suggesting measures to reduce risks, such as the implementation of privacy by design and by default, provided for by art. 25 of the GDPR.

Who appoints the DPO in a company?

The appointment of the Data Protection Officer is a direct responsibility of the data controller or the processor, as provided for by art. 37 of the GDPR. The choice can be made in two ways: by designating a figure within the organization or by entrusting the task to an external consultant, through a service contract.

Appointment criteria
The designation of the DPO must take into account specific criteria established by the GDPR, in particular:

  • professional experience: must have in-depth knowledge of the legislation on the protection of personal data, the GDPR and related national laws;
  • technical competence: it is necessary that he or she has practical skills in the management of IT security and the risks associated with data processing;
  • independence and autonomy: the designated figure must not be subject to conflicts of interest or internal conditioning, to guarantee impartiality in the control of processing activities.

Formalization of the assignment
The appointment must be formalized through an official document that specifies the role and responsibilities of the Data Protection Officer (art. 39 of the GDPR), the methods of interaction with the company management and with the supervisory authority and the absence of conflicts of interest (art. 38 of the GDPR).

Is the company DPO always mandatory?

The appointment of the Data Protection Officer is not always mandatory, but depends on the specific processing activities carried out by the organization. Article 37 of Regulation (EU) 2016/679 (GDPR) identifies three circumstances in which designation is necessary:

  • public authorities or bodies: for all public administrations and public bodies (for example, schools and hospitals); except for judicial authorities in the exercise of their functions;
  • regular monitoring and systematic on a large scale: if the core activity of the organization involves the continuous monitoring of data subjects. For example, telecommunications services, social media platforms, surveillance systems;
  • large-scale processing of sensitive or judicial data: when data falling within the special categories provided for by art. 9 of the GDPR, such as health information, biometric or genetic data, or data relating to criminal offences and convictions.

Outside of these situations, the appointment of a DPO is optional. However, even in the absence of a formal obligation, many companies choose to designate one on a voluntary basis to strengthen their data protection policies and reduce the risks of regulatory non-compliance.

Guidelines of the European Data Protection Board
The WP243 Guidelines of the European Data Protection Board provide practical clarifications on the application of these criteria. For example, they define the meaning of "large scale" and "regular and systematic monitoring", underlining the importance of assessing the mandatory nature of the appointment on a case-by-case basis.

DPO: who can do it?

The designation of a Data Protection Officer requires compliance with specific requirements, both in terms of skills and independence. The DPO must be chosen on the basis of his or her professional qualities, in particular his or her specialist knowledge of data protection legislation and practices, as well as his or her ability to carry out the tasks assigned (art. 37, par. 5, of the GDPR).

Professional requirements
To be able to perform the role, the DPO must have:

  • legal knowledge: the DPO must have detailed knowledge of the GDPR, national regulations (such as Legislative Decree 196/2003 amended by Legislative Decree 101/2018) and the guidelines issued by the competent authorities, such as the European Data Protection Board (EDPB) and the Privacy Guarantor;
  • technical skills: good command of the technologies used for the processing of personal data and IT security measures, including encryption, vulnerability management and risk mitigation techniques;
  • practical experience: in addition to theoretical knowledge, you need to have concrete experience in managing regulatory compliance processes, risk assessment and supervising company procedures related to privacy.

Independence and autonomy
The DPO must operate without interference or pressure from the organization that appointed him. To ensure this autonomy, he must not hold roles that could generate conflicts of interest, such as IT manager or marketing manager, who could be involved in decisions on data processing. He must also have direct access to the hierarchical top, ensuring transparent and timely communication on data protection issues.

Original article published on Money.it Italy. Original title: Chi è il DPO, cosa fa e a cosa serve

Argomenti

# Cybersecurity
# Privacy
# Business

Trading online
in Demo

Fai Trading Online senza rischi con un conto demo gratuito: puoi operare su Forex, Borsa, Indici, Materie prime e Criptovalute.

Money.it Prova gratis

Selezionati per te

What are zero coupon bonds and how do they work?

What are zero coupon bonds and how do they work?
What is Social Trading, How Does It Work and How to Get Started?

What is Social Trading, How Does It Work and How to Get Started?
Bond ETFs: What They Are and Why You Should Keep Them in Your Portfolio

Bond ETFs: What They Are and Why You Should Keep Them in Your Portfolio