The Data Protection Officer (DPO) plays a facilitating and dual role in the GDPR (Section 4 GDPR). The controller appoints the DPO and provides the preconditions (Article 38 GDPR) for adequate performance of tasks (Article 39 GDPR). The DPO facilitates the controller and is the point of contact for the data subject and the forward post of the personal data authority (Article 39 paragraph 5 GDPR).
Article 37 paragraph 1.d GDPR: ”The controller and the processor designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except in the case of courts in the exercise of their judicial functions;
- a controller or the processor is mainly responsible for processing operations which, due to their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the controller or processor is mainly responsible for large-scale processing of special categories of data pursuant to Article 9 and of personal data relating to criminal convictions and offenses referred to in Article 10.”
Article 37 paragraph 5 GDPR: “The data protection officer is appointed on the basis of his professional qualities and, in particular, his expertise in data protection law and practice and his ability to fulfill the tasks referred to in Article 39. “