The Data Protection Officer (DPO) is one of the most ambiguous roles in the organisational structure arising from the GDPR. In many organisations, the DPO is simply the person who “does GDPR” — writing documents, conducting training, answering employee questions. Yet the GDPR defines the DPO in an entirely different way: as an independent advisory and supervisory function, whose very essence is independence from those who make decisions about data processing.
Organisations that forget this pay the consequences. In September 2025, the Polish supervisory authority UODO fined a medical company PLN 11,365 for six years of combining the roles of CEO and DPO in one person — despite the company’s conviction that such an arrangement was permissible and optimal.
When Is Appointing a DPO Mandatory
Article 37(1) GDPR identifies three categories of organisations required to appoint a DPO:
1. Public authorities and bodies — with the exception of courts acting in their judicial capacity. The obligation applies to all public authorities and bodies regardless of the scale of their data processing.
2. Organisations whose core activities consist of large-scale regular and systematic monitoring of individuals — for example, telecommunications operators, advertising platforms, insurance companies, entities providing monitoring services. The key word is “core activities” — data processing must constitute the essential, not incidental, activity of the controller.
3. Organisations whose core activities consist of large-scale processing of special categories of data (Article 9 GDPR) or data relating to criminal convictions — i.e. health data, genetic data, biometric data, racial or ethnic origin, religious beliefs. This covers hospitals, clinics, law firms handling criminal cases, and companies engaged in biometric data analysis.
Understanding “large scale”: The GDPR does not define a numerical threshold. Relevant factors include: the number of data subjects, the scope and variety of data categories, the duration of processing, and the geographic extent. A doctor running a solo practice does not process health data on a large scale. A hospital network does.
When Is a DPO Voluntary
Beyond the mandatory cases, a controller may appoint a DPO voluntarily. If a controller voluntarily appoints a DPO — all GDPR requirements applicable to the role must be observed, including the independence requirement.
Who Can Be a DPO — Qualification Requirements
Article 37(5) GDPR requires that the DPO be appointed on the basis of professional qualities and expert knowledge of data protection law and practice, as well as the ability to fulfil the tasks referred to in Article 39. The GDPR does not specify particular certifications or academic degrees — practical knowledge and the ability to carry out DPO tasks are what matter.
The DPO may be an employee of the controller or an external service provider (an individual or a company providing DPO services under a contract). A single DPO may serve a group of undertakings or several public bodies simultaneously, provided they are easily accessible to each of them.
Who CANNOT Be a DPO — Conflicts of Interest
This is the area where supervisory authorities have significantly increased enforcement. Article 38(6) GDPR states that the DPO may perform other tasks and duties only where these do not result in a conflict of interests.
The CEO cannot be the DPO — this was confirmed unambiguously by the UODO decision DKN.5131.7.2025 of 12 September 2025. A medical company had entrusted this function to its CEO for nearly six years, arguing that in the medical sector there is no conflict of interest between management and the DPO. The UODO rejected this argument: a person who determines the purposes and means of data processing cannot simultaneously supervise compliance with the GDPR in respect of that processing.
The IT director responsible for security cannot be the DPO — the DPO cannot oversee their own work. The UODO fined Toyota Bank, in part, for exactly this kind of “incorrect positioning of the DPO” in the organisational structure (decision DKN.5112.14.2022, penalty of PLN 261,918 for this element).
The general principle: the DPO may not hold any role involving decisions about the purposes or means of data processing. This applies to CEOs, HR directors, CFOs, marketing directors, and IT managers responsible for information security — wherever such roles involve decisions about data processing.
According to the UODO’s position, it is impermissible to appoint as DPO any member of the management board, school principal, mayor, or HR director — where, in the exercise of those roles, they make decisions about the means of data processing.
DPO Tasks — What the DPO Does and Does Not Do
Article 39(1) GDPR identifies five main tasks of the DPO:
Informing and advising — the controller, processor, and employees who carry out processing should receive from the DPO information about their obligations under the GDPR and other data protection provisions.
Monitoring compliance — the DPO monitors compliance with the GDPR, internal policies, the allocation of responsibilities, and conducts related awareness activities, staff training, and audits.
Advising on DPIAs — the DPO advises on data protection impact assessments and monitors their performance.
Cooperating with the supervisory authority — the DPO is the point of contact for the supervisory authority.
Acting as contact point for data subjects — individuals may contact the DPO on all matters relating to the processing of their personal data.
What the DPO should not do — according to the UODO’s updated guidance from 2025, the DPO should not: notify the supervisory authority of personal data breaches on behalf of the controller, notify data subjects of breaches on behalf of the controller, document breaches where this would involve making decisions reserved for the controller, act under a power of attorney in matters relating to data protection. These actions belong to the controller — the DPO advises and monitors, but does not decide and does not act on behalf of the controller.
The DPO’s Position in the Organisation
Article 38 GDPR imposes specific obligations on the controller towards the DPO: involvement in all matters relating to personal data protection, provision of necessary resources and time, access to personal data and processing operations, possibility of maintaining expert knowledge.
The DPO reports directly to the highest level of management — but cannot be that management. The DPO cannot be dismissed or penalised for performing their tasks. The DPO cannot receive instructions on how to carry out DPO tasks.
Notifying the DPO to the Supervisory Authority
The controller must notify the DPO to the President of the UODO (Article 37(7) GDPR) — providing the DPO’s name and email address or telephone number. Every change — appointment of a new DPO, dismissal of the current one, or change of contact details — must be notified without undue delay. Failure to notify a change has been the subject of UODO proceedings.
Most Common Mistakes
Combining the DPO role with decision-making positions. CEO, HR director, IT director as DPO — a violation of Article 38(6) GDPR confirmed by UODO decisions with penalties.
DPO as implementer rather than adviser. Organisations that task the DPO with writing documents and implementing procedures create a situation where the DPO oversees their own work.
Insufficient resources for the DPO. A DPO without access to systems and documentation cannot effectively monitor compliance.
Failure to notify a DPO change to the supervisory authority. Every change requires prompt notification.
Treating the DPO as responsible for GDPR violations. The DPO does not bear responsibility for the organisation’s GDPR violations — responsibility rests with the controller. The DPO is responsible only for failing to perform their own tasks under Article 39 GDPR.
Summary
The Data Protection Officer is an independent advisory and supervisory function — not an executive one. Its essence is the ability to objectively assess the controller’s actions without risk of conflict of interest. Key principles: DPO mandatory for public bodies, organisations conducting large-scale monitoring, and those processing special categories of data on a large scale; the CEO and other decision-makers cannot be the DPO; the DPO advises and monitors — does not decide and does not act on behalf of the controller; every DPO change must be notified to the supervisory authority without undue delay.
FAQ
Not necessarily. The obligation applies to public bodies, organisations monitoring individuals on a large scale, and those processing special categories of data on a large scale. Small companies that do not meet these criteria may appoint a DPO voluntarily.
No — the DPO may be an external specialist or a company providing DPO services. Both arrangements are permitted under the GDPR.
Only if they do not make decisions about the purposes and means of processing employee data. In practice — in most organisations, the HR director is involved in such decisions, creating a conflict of interest.
Is the DPO liable for the organisation’s GDPR violations?
No — liability for GDPR violations rests with the controller. The DPO is responsible only for failing to carry out their own tasks under Article 39 GDPR.
Electronically through the supervisory authority’s platform, providing the DPO’s name and email address or telephone number. Every change must be notified without undue delay.
The DPO needs tools — not a stack of spreadsheets
iGDPR gives the Data Protection Officer access to an up-to-date record of processing activities, risk assessments, data processing agreements, and a breach register — everything needed to monitor compliance effectively, in one place.
START FREE TRIAL
