The tasks of the Data Protection Officer are set out in Article 39 of the GDPR and extended, in Portugal, by Article 11 of Law 58/2019. They are not a catalogue of good practice: they are legal duties whose breach exposes the organisation.
Inform and Advise
Inform and advise the controller, the processor and the staff who carry out processing of their obligations under the GDPR, Law 58/2019 and other Union or national data protection provisions.
GDPR, Art. 39(1)(a)
Monitor Compliance
Monitor compliance with the GDPR and with the controller's or processor's data protection policies, including the assignment of responsibilities, awareness-raising and the training of staff involved in processing operations.
GDPR, Art. 39(1)(b)
Advise on the DPIA
Provide advice, where requested, regarding the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR.
GDPR, Art. 39(1)(c)
Cooperate with the Authority
Cooperate with the supervisory authority and act as its point of contact on matters relating to processing, including the prior consultation referred to in Article 36, consulting it on any other matter where appropriate.
GDPR, Art. 39(1)(d)–(e)
Point of Contact for Data Subjects
Act as the point of contact for data subjects on all matters related to the processing of their personal data and to the exercise of their rights under the Regulation.
GDPR, Art. 38(4); Law 58/2019, Art. 11(c)
Conduct Audits
Ensure the performance of audits, whether periodic or unscheduled — an express duty added by Portuguese law to the framework of Articles 37 to 39 of the GDPR.
Law 58/2019, Art. 11(a)
Awareness of Security Incidents
Raise users' awareness of the importance of the timely detection of security incidents and of the need to inform the person responsible for security without delay.
Law 58/2019, Art. 11(b)
Risk-Based Approach
In performing the tasks, have due regard to the risk associated with processing operations, taking into account their nature, scope, context and purposes.
GDPR, Art. 39(2)