The DPO assists the controller or the processor in all issues relating to the protection of personal data. In particular, the DPO must:
- inform and advise the controller or processor, as well as their employees, of their obligations under data protection law;
- monitor compliance of the organisation with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations;
- provide advice where a DPIA has been carried out and monitor its performance;
- act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights;
- cooperate with DPAs and act as a contact point for DPAs on issues relating to processing;
The organisation must involve the DPO in a timely manner. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks. The DPO reports directly to the highest level of management of the organisation.
- Articles 37 to 39 and Recital (97) of the GDPR