EDPB Guidelines on DPO

Guidelines on Data Protection Officers

The document outlines guidelines for the designation, position, and tasks of the Data Protection Officer (DPO) under the GDPR. It covers mandatory designation criteria, including what constitutes a 'public authority or body,' 'core activities,' 'large scale' operations, 'regular and systematic monitoring,' and handling of special categories of data. It discusses the DPO's role for processors, conditions for appointing a single DPO for multiple organizations, DPO accessibility, required expertise and skills, and how to communicate the DPO's contact details. The position section emphasizes the DPO's involvement in all data protection matters, the resources needed, independence, protection against dismissal or penalty, and conflict of interests. The tasks section details the DPO's responsibilities in monitoring GDPR compliance, involvement in data protection impact assessments, cooperation with supervisory authorities, and a risk-based approach to duties.