Frequently Asked Questions
Fourteen answers, grounded in law, to the most common questions about the Data Protection Officer.
Is it mandatory to designate a Data Protection Officer?
Designation is mandatory in three situations set out in Article 37(1) of the GDPR: where processing is carried out by a public authority or body, except for courts acting in their judicial capacity; where the core activities of the controller or processor require the regular and systematic monitoring of data subjects on a large scale; or where they consist of the large-scale processing of special categories of data or of data relating to criminal convictions and offences. Outside these cases, designation may be voluntary.
When is it mandatory for private entities?
Article 13 of Law 58/2019 mirrors, for private entities, the GDPR criteria: a DPO must be designated where the core activity involves operations that, by their nature, scope or purpose, require the regular and systematic monitoring of data subjects on a large scale, or the large-scale processing of special categories of data or of data relating to criminal convictions and offences.
And for public entities?
Under Article 12 of Law 58/2019, there is at least one Data Protection Officer per ministry or governmental area, per regional secretariat of the autonomous regions, and per municipality. Designation falls, respectively, to the minister, the regional secretary and the municipal council, with the power of delegation provided for by law.
Can the DPO be external to the organisation?
Yes. Article 37(6) of the GDPR allows the DPO to perform the role on the basis of a service contract. The CNPD, in Deliberation 2025/267 (2025), expressly confirmed that the DPO may be linked to an entity external to the controller — the basis of the external DPO model.
What is the difference between a DPO and a Compliance Officer?
They are distinct and complementary figures. The Compliance Officer ensures the organisation's general compliance with the body of rules applicable to it and may hold management and efficiency responsibilities. The DPO is a specific figure, legally appointed for data protection, with statutory independence: it does not decide the purposes or means of processing, but informs, advises and monitors. They are second-line roles that articulate with, but are not confused with, one another.
Can the DPO also hold management or CISO duties?
Only where there is no conflict of interests. Article 38(6) of the GDPR allows the DPO to perform other tasks, but the controller must ensure they do not give rise to a conflict. The WP243 Guidelines clarify that the DPO cannot hold positions that determine the purposes and means of processing — typically senior management roles, and in many cases the head of information systems. Improper accumulation has already led to fines by European supervisory authorities.
Does the DPO decide on the processing of data?
No. Responsibility for the processing remains with the controller. The DPO does not determine the purposes or means and is not personally liable for non-compliance; its role is to inform, advise and monitor, with technical independence and reporting to the highest management level.
Can the DPO be dismissed for performing the role?
No. Article 38(3) of the GDPR prohibits the dismissal or penalisation of the DPO by the controller or processor for performing the tasks, securing the independence the role requires.
What qualifications must the DPO have?
Article 37(5) of the GDPR requires the DPO to be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil the tasks set out in Article 39.
What is a Data Protection Impact Assessment (DPIA)?
It is the assessment the controller must carry out, prior to the processing, where it is likely to result in a high risk to the rights and freedoms of natural persons, under Article 35 of the GDPR. It identifies the risks and the mitigation measures and, where a high residual risk remains, leads to the prior consultation of the authority (Article 36).
What is the record of processing activities?
It is the record provided for in Article 30 of the GDPR, documenting purposes, categories of data and data subjects, recipients, transfers and retention periods. It is the documentary basis of accountability and the first element the authority requests.
How should an organisation react to a personal data breach?
It must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, under Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, they must also be informed, under Article 34.
What are the rights of data subjects?
Chapter III of the GDPR confers the rights to information, access, rectification, erasure, restriction of processing, portability, objection and the right not to be subject to solely automated decisions. The organisation must have procedures that guarantee their exercise within the legal time limits.
Can a group of undertakings designate a single DPO?
Yes. Article 37(2) of the GDPR allows a group of undertakings to designate a single Data Protection Officer, provided that the DPO is easily accessible from each establishment.
Is the DPO bound by professional secrecy?
Yes. Article 38(5) of the GDPR binds the DPO by secrecy or confidentiality in the performance of the tasks, in accordance with Union or Member State law.