The Data Protection Officer · dataprotectionofficer.pt
dataprotectionofficer.pt
PTEN

The Data Protection Officer

Who it is, what it does and why the law made it indispensable.

Request a ProposalFree GDPR Diagnosis
IndependenceExpertisePoint of contact

The Data Protection Officer is the piece the European legislator placed at the centre of the data protection system. Its existence reflects a clear choice: compliance with the GDPR is not secured by rules alone, but by a permanent, independent and qualified function that accompanies the organisation day to day.

The figure arises from the Regulation itself, in Articles 37 to 39, and is developed, in the Portuguese legal order, by Articles 9 to 13 of Law 58/2019. These provisions define who must designate a DPO, its position within the organisation and the tasks it performs — adding, in light of the national specificity, duties such as the conduct of audits and awareness-raising for the detection of incidents.

The independence of the DPO

The position of the DPO is surrounded by guarantees designed to preserve its independence. Article 38 of the GDPR brings them together, and they distinguish the DPO from any other adviser to the organisation.

Timely and proper involvement

The DPO is involved, properly and in a timely manner, in all issues relating to the protection of personal data.

Art. 38(1)

Resources and access

The organisation provides the resources necessary to carry out the tasks, access to personal data and processing operations, and the means to maintain expert knowledge.

Art. 38(2)

Independence — no instructions

The DPO does not receive instructions regarding the exercise of the tasks and reports directly to the highest management level.

Art. 38(3)

Protection from dismissal

The DPO may not be dismissed or penalised by the controller or processor for performing the tasks.

Art. 38(3)

Professional secrecy

The DPO is bound by secrecy or confidentiality concerning the performance of the tasks, in accordance with Union or Member State law.

Art. 38(5)

No conflict of interests

The DPO may perform other tasks, provided they do not give rise to a conflict of interests; the DPO may not hold a position that determines the purposes and means of processing (typically senior management roles).

Art. 38(6); WP243

DPO and Compliance Officer are not the same

The DPO is specific to data protection and does not decide the processing; the Compliance Officer covers general compliance. Combining them may create a conflict of interests.

FAQ
Request a Proposal — External DPORequest a Proposal

We use essential cookies and, with your consent, analytics cookies. See our Cookie Policy.