Skip to content
AuditFront
Art.39 GDPR

GDPR Art.39: Tasks of the Data Protection Officer

What This Control Requires

The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data; (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36.

In Plain Language

Knowing what the DPO is actually supposed to do day-to-day makes the difference between a compliance checkbox and a genuinely effective function. Article 39 sets out five core tasks: advising the organisation on its obligations, monitoring compliance, guiding DPIAs, cooperating with the supervisory authority, and serving as the regulator's point of contact. The advisory role reaches beyond leadership - the DPO should be accessible to every employee involved in processing personal data. The monitoring role goes further than offering opinions; it means actively overseeing adherence to the GDPR, national laws, and the organisation's own policies through audits, awareness training, and responsibility assignment. The DPO's relationship with the supervisory authority is a critical part of the role. They are the first port of call for regulatory interactions and must cooperate fully on all processing matters. On DPIAs, the DPO advises on whether one is needed, what methodology to use, what safeguards to apply, and whether the assessment was carried out properly. The DPO should prioritise their work based on the risk level of different processing activities.

How to Implement

Write a formal role description that covers every Article 39 task. Include advising on GDPR and national data protection obligations, monitoring compliance through audits and assessments, providing DPIA guidance and oversight, cooperating with the supervisory authority, acting as the contact point for regulators and data subjects, managing the training and awareness programme, and participating in breach response. Put together an annual DPO work plan that schedules key activities across the year. Map out planned compliance audits and reviews, training delivery dates, DPIA involvement tied to project timelines, policy review cycles, senior management reporting periods, and time reserved for ad-hoc advice, data subject queries, and incident response. Equip the DPO with practical compliance monitoring mechanisms. These should include periodic assessments against GDPR requirements, reviews of Records of Processing Activities for completeness and accuracy, audits of data subject request handling and response times, reviews of data processing agreements and vendor compliance, monitoring of breach response activities, and tracking of training completion rates. Define the DPO's role in the DPIA process clearly. Specify at which stages they must be consulted, create templates for capturing their input, set up a review and sign-off workflow, and keep records of their advice - especially where the organisation chose a different path. The DPO should also follow up to confirm that measures identified in DPIAs are actually implemented. Set up proper communication channels. Create a dedicated email address or web form for data protection queries from staff and data subjects. Publish the DPO's contact details in all privacy notices. Establish regular reporting to senior management and clear escalation procedures for urgent matters. The DPO needs to be reachable and responsive - an invisible DPO is a useless one.

Evidence Your Auditor Will Request

  • DPO role description covering all Article 39 tasks
  • DPO annual work plan with scheduled compliance activities
  • Compliance monitoring and audit reports produced by the DPO
  • Records of DPO advice on DPIAs and other data protection matters
  • Evidence of DPO cooperation with supervisory authority (correspondence, submissions)

Common Mistakes

  • DPO role limited to advisory function without monitoring or compliance oversight
  • No structured compliance monitoring programme, leading to reactive rather than proactive oversight
  • DPO not involved in DPIA process or involvement limited to rubber-stamping completed assessments
  • DPO inaccessible to staff and data subjects, undermining their contact point function
  • No annual work plan, leading to ad-hoc and inconsistent performance of DPO tasks

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.2 Related
ISO 27001 A.5.36 Related

Frequently Asked Questions

Is the DPO personally liable for GDPR compliance?
No. Under Article 24, the controller (the organisation) bears the responsibility. The DPO advises and monitors but does not carry personal liability for processing decisions. That said, the DPO should always document their advice and recommendations - particularly when the organisation decides not to follow them. It protects everyone involved.
Can the DPO conduct audits of the organisation?
Yes, and they should. Monitoring compliance is an explicit task under Article 39(1)(b), and auditing is one of the most effective monitoring tools. The DPO can plan and run internal data protection audits, delegate parts of the work to team members, or recommend that the organisation brings in external auditors for independent assessments.
What should the DPO do if the organisation ignores their advice?
Document everything: the advice given, the decision to deviate, and the reasons the organisation provided. Escalate to the highest management level. If the non-compliance creates serious risk and leadership still refuses to act, the DPO needs to consider their obligations under national law and, in extreme situations, their own position within the organisation.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment