European Union — DPO, ROPA & DPIAs

Data Protection Officer (DPO) is the role that Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) places at the centre of organisational accountability. Article 37 establishes when controllers and processors must designate a DPO; outside those three triggers, designation is voluntary but subject to the same obligations if undertaken.

## The three mandatory triggers — Article 37(1) GDPR

Article 37(1) GDPR requires both controllers and processors to designate a DPO "in any case where":

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

The public-authority carve-out is broad. Any entity exercising public functions under Member State law—government ministries, local councils, regulatory agencies, state hospitals, public universities—must appoint a DPO, regardless of processing scale or sensitivity. The judicial exception is narrow: it applies only to courts performing adjudicative functions; court administration (HR, procurement) is covered by the general public-authority rule.

(b) the core activities of the controller or processor consist of processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or

Three cumulative conditions define this trigger:

• Core activities — processing operations that are key to achieving the controller's or processor's objectives, or are an inextricable part of the activity. The EDPB-endorsed Article 29 Working Party Guidelines on Data Protection Officers (WP243 rev.01, April 2017) clarify that ancillary functions (employee payroll for a hospital) are not core; patient treatment records are.

• Regular and systematic monitoring — continuous or occurring at particular intervals, following a plan or system. Examples include behavioural advertising, profiling, geolocation tracking via mobile apps, fitness/health-device tracking, CCTV surveillance in public spaces, and employment monitoring. One-off monitoring does not trigger the obligation.

• Large scale — context-specific. WP243 identifies relevant factors: number of data subjects (as an absolute number or proportion of the relevant population); volume of data; duration; and geographic extent. Processing of all customers of a national telecoms operator is large-scale; a single GP practice is typically not.

(c) the core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Article 9 special categories are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, and data concerning sex life or sexual orientation. Article 10 covers criminal-conviction and offence data.

Both core activities and large scale carry the same meaning as in trigger (b). A private hospital network processing patient health records, a clinical research organisation handling genetic data for multi-site trials, or a background-check processor handling criminal-records data on a national scale would each meet this trigger.

## Group and public-body flexibilities

Article 37(2) GDPR permits a group of undertakings to appoint a single DPO, provided the DPO is "easily accessible from each establishment." Article 37(3) permits public authorities or bodies to designate a single DPO for several entities, "taking account of their organisational structure and size." Easy accessibility means the DPO can be contacted by data subjects, staff, and the supervisory authority in each location; physical proximity is not required, but language, time zones, and communication channels matter.

## Voluntary designation — Article 37(4) and attendant obligations

Where none of the Article 37(1) triggers apply, controllers and processors may designate a DPO voluntarily, or Member State law may require it. Once designated, the DPO must comply with all Article 38 (position) and Article 39 (tasks) obligations. The EDPB advises using the title "DPO" only when the role genuinely matches the GDPR definition; using the title for a person who lacks independence or the Article 39 mandate creates confusion and potential liability.

## Qualifications — Article 37(5)

The DPO must be designated "on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39." Recital 97 GDPR clarifies that the necessary level of expertise depends on the sensitivity, complexity, and volume of processing. WP243 emphasises that in-depth understanding of GDPR, national derogations, and the organisation's processing operations is essential; legal qualification is not mandatory, but domain expertise is.

## Employment model — Article 37(6)

The DPO may be a staff member of the controller or processor, or may fulfil the tasks on the basis of a service contract with an external individual or organisation. In the latter case, every individual acting as DPO (or as part of a DPO team) must meet the Article 37(5) qualifications and the Article 38(3)/(6) independence and conflict-of-interest safeguards.

## Enforcement landscape

The European Data Protection Board's January 2024 Coordinated Enforcement Action on DPO designation and position found that over 700,000 organisations across the EEA have registered DPOs, but identified persistent challenges: failure to designate even when mandatory; insufficient resources; DPOs tasked with functions that create conflicts of interest (particularly carrying out, rather than advising on, Data Protection Impact Assessments); and lack of reporting to highest management. Member State supervisory authorities continue to issue corrective orders and administrative fines under Article 83(4)(a) GDPR (up to €10 million or 2 % of annual worldwide turnover, whichever is higher) for non-designation or inadequate DPO position.

## Key CJEU clarification — X-FAB Dresden (C-453/21)

In X-FAB Dresden GmbH & Co. KG, judgment of 9 February 2023, the Court of Justice of the European Union clarified Article 38(6) GDPR (conflict of interests): a DPO cannot be entrusted with tasks or duties that would result in determining the purposes and means of processing. The DPO's functional independence requires that they review those purposes and means independently; combining the DPO role with senior management positions (CEO, COO, CFO, Head of HR, Head of IT) or with operational decision-making on processing creates an impermissible conflict. The Court also interpreted Article 38(3) GDPR: dismissal of the DPO for performing their tasks is prohibited; national law may impose stricter protections (e.g., requiring "just cause" under German labour law).

Source: Regulation (EU) 2016/679 (GDPR), Articles 37–39 Source: Article 29 WP Guidelines on DPOs (WP243 rev.01) Source: EDPB 2023 Coordinated Enforcement Action on DPO Designation and Position, January 2024 Source: CJEU judgment X-FAB Dresden, C-453/21, 9 February 2023

Records of Processing Activities (ROPA) under Article 30 GDPR are the foundational accountability document for demonstrating compliance with the General Data Protection Regulation. Article 30 imposes a written record-keeping obligation on both controllers and processors, with distinct content requirements for each role. The ROPA must be made available to the supervisory authority on request (Art. 30(4) GDPR) and is routinely the first document requested in investigations, audits, and post-breach inquiries.

## Mandatory ROPA contents for controllers — Article 30(1) GDPR

Each controller (and, where applicable, the controller's representative) must maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) (transfers based on a derogation for specific situations), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) GDPR (security of processing).

The Irish Data Protection Commission (DPC) emphasises in its April 2023 guidance that the ROPA should be granular and meaningful, providing specific detail for each category of data subject and each processing activity. Vague descriptions ("we process customer data for business purposes") or generic security statements ("appropriate technical measures") do not meet the Article 30 standard. The DPC clarifies that a Data Protection Impact Assessment (DPIA) does not substitute for a ROPA; the ROPA is a standalone accountability record.

## Mandatory ROPA contents for processors — Article 30(2) GDPR

Each processor (and, where applicable, the processor's representative) must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or processor's representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) GDPR.

The processor ROPA must map each controller the processor serves and describe the categories of processing (e.g., email hosting, payroll processing, cloud storage) carried out for that controller. When the processor engages sub-processors, supervisory authorities expect those relationships to be documented, either within the Article 30(2) record or in a linked sub-processor register.

## Small-enterprise exemption — Article 30(5) GDPR and its narrow scope

Article 30(5) GDPR states:

> "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."

This exemption is narrowly construed. The Article 29 Working Party (now endorsed by the EDPB) confirmed in its Position Paper on Article 30(5) (April 2018) that the exemption is triggered only when all three negative conditions are met simultaneously:

1. The processing does not pose a risk to the rights and freedoms of data subjects;
2. The processing is occasional (i.e., one-off or infrequent, not part of regular business operations); and
3. The processing does not involve Article 9 special-category data or Article 10 criminal-conviction data.

In practice, virtually no organisation meets all three conditions. Any entity with employees processes HR data regularly (salary, tax, benefits); any entity with customers processes contact or sales data regularly; any website operator processes visitor data via analytics, cookies, or contact forms. The EDPB's SME guide (2024) states plainly: "If you have customers and/or employees, you process their personal data periodically and regularly, so you need to keep records of processing activities related to such data subject categories."

The WP29 Position Paper further clarifies that "occasional" does not include payroll, website operation, customer relationship management, marketing email campaigns, or badge/access management — all are regular processing operations. One-off events (e.g., data processed solely for a shop opening) may be occasional, but must still be documented if they involve Article 9/10 data or pose a risk to individuals.

Note: In 2025, the European Commission proposed raising the employee threshold to 750 and limiting the exemption to processing that is not "likely to result in a high risk" (aligning with the Article 35 DPIA threshold). The EDPB/EDPS issued Joint Opinion 01/2025 welcoming the clarification but requesting further justification for the 750-employee threshold. As of May 2026, Article 30(5) remains at 250 employees with the three cumulative conditions above.

## Written form and availability on request — Article 30(3)–(4) GDPR

Article 30(3) GDPR requires that "the records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form." A purely oral inventory, mental map, or ad-hoc recollection does not satisfy the obligation. Electronic formats — spreadsheets, dedicated ROPA software, privacy-management platforms — are permitted and widely used. The DPC recommends that the ROPA be stored in a manner that allows a report to be easily generated if requested.

Article 30(4) GDPR states that "the controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request." There is no deadline specified in Article 30(4) itself, but Article 31 GDPR (cooperation with the supervisory authority) and the general principle of good-faith cooperation mean that the ROPA should be produced promptly — typically within days, not weeks. Refusal or undue delay is itself evidence of non-compliance and can trigger corrective measures under Article 58(2) GDPR.

## The ROPA as an accountability tool — Article 5(2) GDPR

Recital 82 GDPR states:

> "In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility."

The Irish DPC's 2023 guidance emphasises that the ROPA is "one of the means by which Data Controllers demonstrate and implement the principle of accountability as set out in Article 5(2) GDPR." A well-drafted ROPA demonstrates that the controller:

• is aware of all processing activities within the organisation;
• has considered the purpose of each processing activity and the legal basis under Article 6(1) (and, where applicable, Article 9(2)) that legitimises it;
• has limited the personal data collected to what is necessary for each purpose (data minimisation, Article 5(1)(c));
• has documented retention periods (storage limitation, Article 5(1)(e));
• has mapped international transfers and identified the Chapter V transfer mechanism (adequacy, SCCs, BCRs, or derogations);
• has described security measures (integrity and confidentiality, Article 5(1)(f) and Article 32).

The ROPA is the central reference for completing a Data Protection Impact Assessment (Article 35), responding to data-subject-rights requests (Articles 15–22), preparing breach notifications (Articles 33–34), and conducting internal audits. Article 29 WP Guidelines on DPOs (WP243 rev.01) confirm that while the DPO is not required to maintain the ROPA (that duty lies with the controller or processor), the controller may assign the DPO the task of maintaining the record, and the ROPA is a core tool enabling the DPO to monitor compliance, inform, and advise.

## Enforcement landscape and fine exposure

Failure to maintain an Article 30 ROPA, or maintaining an incomplete or inaccurate ROPA, is an infringement of Article 30 GDPR and subject to administrative fines under Article 83(4)(a) GDPR — up to €10 million or 2 % of total worldwide annual turnover, whichever is higher. Supervisory authorities across the EEA have consistently cited ROPA gaps as an aggravating factor in fine calculations, even when the primary infringement is a different GDPR provision (breach notification, lawful basis, transparency). The DPC's 2023 guidance notes that organisations without a ROPA, or with an incomplete one, are "consistently identified as having systematic compliance gaps."

The European Data Protection Board's January 2024 Coordinated Enforcement Action on DPO designation and position found that over 700,000 organisations across the EEA have registered DPOs, and the enforcement sweep also reviewed ROPA practices. Persistent challenges identified include: failure to document all processing activities; generic or non-specific descriptions; missing or outdated transfer-safeguard documentation; and conflating ROPA with other documents (privacy notices, DPIAs, data-processing agreements).

Source: Regulation (EU) 2016/679 (GDPR), Article 30 Source: Irish Data Protection Commission, Guidance Note: Records of Processing Activities (RoPA) under Article 30 GDPR, April 2023 Source: Article 29 Working Party, Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, endorsed by EDPB Source: EDPB 2023 Coordinated Enforcement Action on DPO Designation and Position, January 2024

Data Protection Impact Assessment (DPIA) under Article 35 GDPR is a structured process for identifying, assessing, and mitigating privacy risks before starting processing operations that are "likely to result in a high risk to the rights and freedoms of natural persons." The DPIA is a core accountability tool that helps controllers comply with GDPR principles, demonstrate necessity and proportionality, and document the safeguards built into the processing design. Article 35 makes the DPIA mandatory in specified circumstances and sets out what the assessment must contain.

## When a DPIA is mandatory — Article 35(1) and (3) GDPR

Article 35(1) GDPR establishes the general rule:

> "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

The assessment must be completed before the processing starts. The threshold is "likely to result in a high risk" — not certainty, but significant likelihood. Recital 84 GDPR clarifies that processing using new technologies may involve novel ways of collecting and using data that increase the risk, particularly when the controller has not been able to verify the impact.

Three specified mandatory triggers — Article 35(3) GDPR

Article 35(3) GDPR provides a non-exhaustive list of processing operations that "in particular" require a DPIA:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

This trigger addresses automated decision-making and profiling that has significant consequences. Examples include credit scoring, algorithmic hiring systems, health-insurance risk assessments, and fraud-detection systems that automatically block accounts or deny services. The evaluation must be both systematic (methodical, following a plan) and extensive (broad in scope or coverage). The decision must produce legal effects (affecting contractual rights, legal status, eligibility) or similarly significantly affect the individual (e.g., exclusion from a service, denial of a benefit, reputational harm).

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10;

Article 9(1) special categories are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, and data concerning sex life or sexual orientation. Article 10 covers criminal-conviction and offence data.

The GDPR does not define "large scale." The Article 29 Working Party Guidelines on DPIA (WP248 rev.01, endorsed by the EDPB) identify relevant factors: number of data subjects (absolute or as a proportion of the population); volume and range of data items; duration and permanence of the processing; and geographic extent. A national hospital network processing patient health records, a health insurer processing genetic data for underwriting decisions, or a background-check service handling criminal-records data across multiple EU Member States would each meet the large-scale threshold. A single general-practitioner practice typically does not.

(c) a systematic monitoring of a publicly accessible area on a large scale.

This trigger addresses systematic surveillance — continuous or regular observation following a plan. The archetypal example is CCTV surveillance in public spaces (train stations, shopping centers, public streets). "Publicly accessible" means areas open to the general public, not limited to outdoor spaces; a shopping mall, university campus, or hospital corridor can be publicly accessible. The monitoring must be systematic (not ad-hoc or one-off) and large-scale (covering significant numbers of individuals or a wide area).

Article 29 Working Party / EDPB criteria for high risk — WP248 rev.01

The Article 29 Working Party Guidelines on Data Protection Impact Assessment (WP248 rev.01, adopted October 2017, endorsed by the EDPB May 2018) provide nine criteria that help identify when processing is likely to result in high risk. WP248 states that processing meeting two or more criteria ordinarily requires a DPIA, though in some cases a single criterion may suffice. The nine criteria are:

1. Evaluation or scoring — including profiling and predicting aspects such as work performance, economic situation, health, personal preferences, reliability, or behavior.
2. Automated decision-making with legal or similarly significant effect — decisions without human intervention that have legal or comparably significant effects (Art. 22 GDPR processing).
3. Systematic monitoring — ongoing observation, tracking, or surveillance of individuals, especially when monitoring behavior or location.
4. Sensitive data or data of a highly personal nature — Art. 9 special categories, Art. 10 criminal data, or other highly personal data (e.g., electronic-communications content, location data, financial data).
5. Data processed on a large scale — assessed by the factors above (number of subjects, volume, duration, geographic extent).
6. Matching or combining datasets — merging datasets from different sources or for different purposes, especially when beyond the reasonable expectations of the data subject.
7. Data concerning vulnerable data subjects — children, employees, asylum seekers, elderly persons, patients, or individuals in situations where there is a power imbalance or reduced ability to consent or object.
8. Innovative use or applying new technological or organizational solutions — using a new technology (e.g., AI, facial recognition, IoT sensors) where the privacy risks are not yet well understood.
9. Processing that in itself prevents data subjects from exercising a right or using a service or contract — including processing that denies access to a service, blocks an account, or imposes a disadvantageous contract term based on the data.

Controllers should assess their processing operations against these criteria; meeting two or more ordinarily triggers the DPIA obligation.

## Mandatory contents of a DPIA — Article 35(7) GDPR

Article 35(7) GDPR specifies that the DPIA "shall contain at least" the following four elements:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

This description must identify: the categories of personal data; the categories of data subjects; the data flows (collection, use, storage, disclosure, deletion); the data processors and other recipients; and the retention periods. Where the controller relies on legitimate interests under Article 6(1)(f) GDPR, the DPIA must articulate the specific legitimate interest pursued.

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

The controller must demonstrate that the processing is necessary to achieve the stated purpose and that there is no less-intrusive alternative that would accomplish the same purpose. This is the data minimization and purpose limitation analysis: collecting only the data needed, retaining it no longer than necessary, and ensuring that the scope of processing is proportionate to the objective.

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

This is the risk assessment. The controller must identify the potential adverse impacts on individuals (discrimination, identity theft, financial loss, reputational damage, loss of control over personal data, unauthorized reversal of pseudonymization, physical harm, psychological distress, or other significant economic or social disadvantage). The assessment considers both the likelihood and severity of each risk.

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

This is the risk-mitigation plan. The controller must document the technical and organizational measures to be implemented: encryption, pseudonymization, access controls, staff training, transparency notices, mechanisms for data-subject-rights exercise, data-minimization features, retention schedules, breach-response procedures, and audit trails. These measures should reduce the residual risk to an acceptable level. If the residual risk remains high even after mitigation, the controller must consult the supervisory authority under Article 36 GDPR before commencing the processing.

## DPO involvement — Article 35(2) GDPR

Article 35(2) GDPR requires that "the controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment." The DPO does not perform the DPIA (that is the controller's obligation), but the controller must consult the DPO, and the DPO's advice and any disagreement should be documented within the DPIA. The DPO can monitor whether the DPIA was carried out and whether its recommendations were followed, as part of the DPO's Article 39 tasks.

## Consulting data subjects — Article 35(9) GDPR

Article 35(9) GDPR states: "Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations." Seeking data-subject views is not mandatory, but it is encouraged when feasible. Methods include surveys, focus groups, consultation with trade unions (for employee data), or consultation with patient advocates (for health data). If the controller decides not to consult data subjects, the DPIA should record the justification.

## Single DPIA for similar processing operations — Article 35(1) second sentence

Article 35(1) states: "A single assessment may address a set of similar processing operations that present similar high risks." Controllers may conduct a single DPIA covering multiple processing activities that are similar in nature, scope, context, purpose, and risk — for example, a DPIA for a nationwide CCTV deployment across all retail stores, or a DPIA for a suite of mobile health apps that share the same architecture and data flows. The DPIA should describe each variant and confirm that the risk profile and mitigation measures apply across all covered operations.

## Supervisory-authority DPIA lists — Article 35(4) and (5) GDPR

Article 35(4) GDPR requires each supervisory authority to establish and make public a list of the kinds of processing operations which are subject to the requirement for a DPIA. These lists further specify and complement the Article 35(3) criteria; they are not exhaustive, and processing not on the list may still require a DPIA if it meets the Article 35(1) high-risk threshold. The lists are subject to the consistency mechanism under Article 63 GDPR, and the EDPB has reviewed and issued opinions on the national lists to promote convergence.

Article 35(5) GDPR permits supervisory authorities to establish a list of processing operations for which no DPIA is required — a "negative" or "white" list. As of June 2026, most supervisory authorities have published both types of lists; controllers should consult the list of the supervisory authority in the Member State where the controller's main establishment is located.

## When a DPIA is not required — Article 35(10) GDPR

Article 35(10) GDPR provides an exemption:

> "Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities."

This exemption applies when the controller processes data on the basis of legal obligation (Art. 6(1)(c)) or public task (Art. 6(1)(e)), the legislation itself specifies the processing operations in detail, and a DPIA was conducted as part of the legislative impact assessment when the law was adopted. Recital 93 GDPR clarifies that Member States may still require a DPIA even when this exemption applies.

## Review and update — Article 35(11) GDPR

Article 35(11) GDPR states: "Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations." Controllers must re-assess the DPIA when the risk changes — for example, when new data categories are added, new recipients are introduced, the purpose expands, new technology is deployed, a breach occurs, or the legal or regulatory environment changes. The EDPB and national supervisory authorities recommend periodic reviews (e.g., every two to three years) even in the absence of a known change.

## Enforcement and EDPB coordination

Failure to conduct a DPIA when required, or conducting an inadequate DPIA that does not meet the Article 35(7) requirements, is an infringement of Article 35 GDPR and subject to administrative fines under Article 83(4)(a) GDPR — up to €10 million or 2 % of total worldwide annual turnover, whichever is higher. The EDPB coordinates enforcement through its coordinated enforcement actions and through opinions on Member State DPIA lists.

In April 2026 the EDPB adopted a DPIA Template to promote consistency across the EU. The template is non-binding but provides a structured format for controllers to demonstrate compliance with Article 35(7). Controllers may use the template, adapt it to their sector, or use alternative methodologies (including tools published by supervisory authorities such as the CNIL PIA tool), provided the DPIA contains the four mandatory elements and meets the accountability standard.

Source: Regulation (EU) 2016/679 (GDPR), Article 35 Source: Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, WP248 rev.01, endorsed by EDPB

Prior consultation under Article 36 GDPR is a mandatory procedural safeguard that bridges the Data Protection Impact Assessment (Article 35) and supervisory-authority oversight. When a DPIA reveals that processing would still result in high risk to the rights and freedoms of individuals even after the controller has implemented mitigation measures, the controller must consult the supervisory authority before commencing the processing. Article 36 consultation is not a voluntary check-in; it is a statutory obligation that prevents controllers from launching high-risk processing without regulatory review.

## When prior consultation is mandatory — Article 36(1) GDPR

Article 36(1) GDPR provides:

> "The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk."

The consultation trigger is twofold: (1) the controller has conducted a DPIA under Article 35, and (2) the DPIA demonstrates that the residual risk — the risk remaining after all mitigation measures have been implemented — is still high. The phrase "in the absence of measures taken by the controller to mitigate the risk" is sometimes misread; Recital 94 GDPR clarifies that it refers to the absence of the controller's intended mitigation measures, not the absence of any safeguards whatsoever. In other words, if the controller's planned safeguards (encryption, access controls, retention limits, transparency notices) reduce the risk to medium or low, no Article 36 consultation is required. If those planned safeguards still leave the risk high, consultation is mandatory.

The European Data Protection Board (EDPB) and its predecessor, the Article 29 Working Party, have consistently interpreted "high risk" in Article 36 as meeting the same threshold articulated in the DPIA context: processing that is likely to result in a significant adverse impact on the rights and freedoms of individuals — discrimination, identity theft, financial loss, reputational damage, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization, physical harm, psychological distress, or other significant economic or social disadvantage. The EDPB Guidelines on DPIA (WP248 rev.01) state that when two or more of the nine WP248 criteria are met (evaluation or scoring; automated decision-making with legal or similarly significant effect; systematic monitoring; sensitive data or highly personal data; large-scale processing; matching or combining datasets; vulnerable data subjects; innovative use of technology; processing that prevents data subjects from exercising a right or using a service), the processing ordinarily presents high risk and a DPIA is required. If the DPIA then shows that the residual risk remains high, Article 36 consultation follows.

Example scenarios requiring Article 36 consultation include: a national health insurer deploying an AI-driven claims-rejection system that relies on profiling and special-category health data, where the DPIA identifies significant risk of discrimination even after mitigation; a smart-city authority implementing city-wide facial-recognition surveillance for public safety, where the DPIA reveals that anonymization and access controls do not reduce the risk of mass surveillance to below the high-risk threshold; a social-media platform introducing a new behavioral-advertising algorithm targeting children, where the DPIA demonstrates that even with parental-consent mechanisms, the risk of exploitation remains high.

## Information the controller must provide — Article 36(3) GDPR

Article 36(3) GDPR specifies the mandatory contents of the consultation request. The controller must provide the supervisory authority with:

(a) where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

This requirement maps the data-controller and processor roles (Art. 4(7), 4(8) GDPR) and clarifies who determines the purposes and means of processing. In a group context, the controller must identify which entities act as joint controllers (Art. 26) and which act as processors (Art. 28), and document the allocation of GDPR obligations.

(b) the purposes and means of the intended processing;

The controller must describe why the processing is being undertaken (the specific purposes under Art. 5(1)(b) purpose limitation) and how it will be carried out (the technical and organizational means, including the data flows, storage, and retention architecture).

(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;

This is the mitigation plan from the DPIA (Art. 35(7)(d) GDPR): encryption, pseudonymization, access controls, data minimization, transparency notices, mechanisms for data-subject-rights exercise, breach-response procedures, audit trails, and any Article 25 data-protection-by-design features. The controller must show the supervisory authority what safeguards have been planned and why the residual risk is still high.

(d) where applicable, the contact details of the data protection officer;

If the controller has designated a DPO under Article 37, the contact details must be provided. Article 36(2) EDPB Guidelines on DPOs (WP243 rev.01) clarify that the DPO should be involved in the consultation process, as monitoring compliance is a core Article 39 task. The controller must consult the DPO when carrying out a DPIA (Art. 35(2)), and the DPO's advice should inform the Article 36 submission.

(e) the data protection impact assessment provided for in Article 35; and

The full DPIA must be submitted. This is the foundational document: it contains the systematic description of the processing, the necessity and proportionality analysis, the risk assessment identifying likelihood and severity of adverse impacts, and the planned mitigation measures. The supervisory authority will review the DPIA to determine whether the controller has correctly characterized the residual risk as high and whether the proposed safeguards are adequate.

(f) any other information requested by the supervisory authority.

The supervisory authority may request additional documentation — for example, contracts with processors (Art. 28), records of processing activities (Art. 30), lawful-basis justifications under Article 6 and Article 9, or details of cross-border transfer mechanisms under Chapter V if the processing involves transfers to third countries.

## Supervisory-authority response timeline — Article 36(2) GDPR

Article 36(2) GDPR establishes the response deadline for the supervisory authority:

> "Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within a period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58."

The eight-week period begins when the supervisory authority receives the complete consultation request containing the Article 36(3) information. If the submission is incomplete, the clock does not start until the missing information is provided.

Extension for complexity: The eight-week period may be extended by six weeks (for a maximum total of 14 weeks), taking into account the complexity of the intended processing. The supervisory authority must inform the controller and processor of the extension within one month of receipt of the consultation request, together with the reasons for the delay (Art. 36(2), second and third sentences GDPR).

Suspension for additional information: The eight-week (or 14-week) period may be suspended until the supervisory authority has obtained any information it has requested for the purposes of the consultation (Art. 36(2), fourth sentence GDPR). If the controller fails to respond promptly to an information request, the response deadline is paused.

## Supervisory-authority powers during and after consultation — Article 58 GDPR

Article 36(2) GDPR states that the supervisory authority "may use any of its powers referred to in Article 58" when providing written advice. Article 58(3) GDPR grants each supervisory authority advisory powers, including the power to advise the controller in accordance with the prior-consultation procedure. If the supervisory authority concludes that the intended processing would infringe the GDPR — because the controller has insufficiently identified or mitigated the risk — the authority may:

• Issue a warning that the proposed processing is likely to infringe the GDPR (Art. 58(2)(a));
• Issue a reprimand if the controller proceeds despite the warning (Art. 58(2)(b));
• Order the controller to bring the processing into compliance with the GDPR in a specified manner and within a specified period (Art. 58(2)(d));
• Impose limitations on processing, including a temporary or definitive ban on processing (Art. 58(2)(f));
• Impose an administrative fine under Article 83(4)(a) GDPR (up to €10 million or 2 % of total worldwide annual turnover) for processing without prior consultation when required, or under Article 83(5)(a) for processing in breach of the basic principles (Art. 5) after having been ordered to desist.

Recital 94 GDPR confirms that the supervisory authority's advice "should take into account the outcome of the consultation and the controller's or processor's compliance with this Regulation." If the controller follows the supervisory authority's advice and implements the recommended additional safeguards, the processing may proceed. If the controller disagrees with the advice, it may proceed at its own risk, but any subsequent enforcement action will cite the prior consultation as evidence that the controller was aware of the non-compliance.

## Prohibition on processing before consultation is complete — Article 36(1) "prior to processing"

The phrase "prior to processing" in Article 36(1) is mandatory and unambiguous: the controller must not commence the processing until the consultation is complete. "Complete" means the supervisory authority has provided its written advice or the eight-week (or 14-week) period has expired without a response. Recital 94 GDPR states:

> "Where such consultation is required, it should take place prior to the processing and the supervisory authority should respond within a specified period."

The Irish Data Protection Commission (DPC), the French Commission Nationale de l'Informatique et des Libertés (CNIL), and the UK Information Commissioner's Office (ICO) have each confirmed in guidance that processing before consultation is a standalone infringement of Article 36(1), subject to administrative fines under Article 83(4)(a) GDPR, even if the processing itself would ultimately be lawful. The DPC's Data Protection Impact Assessment Guidance (2019, updated 2023) states plainly: "Where an organisation proceeds with high-risk processing without prior consultation with the DPC, this is a breach of Article 36(1) GDPR."

## Member State consultation during legislative drafting — Article 36(4) GDPR

Article 36(4) GDPR requires Member States (not controllers) to consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing. This provision ensures that national laws regulating data processing (for example, national derogations under Article 9(2)(g)–(j) for special-category data, or Article 88 employment-processing rules) are reviewed by the supervisory authority for GDPR compatibility before enactment. The EDPB Guidelines on Article 36(4) clarify that this consultation is mandatory when the legislative measure regulates processing in a manner that affects data-subject rights or controller obligations, and it is in addition to the controller-level Article 36(1) consultation.

## Member State power to require prior authorisation — Article 36(5) GDPR

Article 36(5) GDPR permits Member States to enact national legislation requiring controllers to consult with, and obtain prior authorisation from, the supervisory authority for processing carried out for the performance of a task in the public interest (Art. 6(1)(e)), including processing in relation to social protection and public health. This is a heightened prior-consultation regime that goes beyond the Article 36(1) requirement: the controller must wait for explicit authorisation, not merely written advice. As of June 2026, several Member States — including France (for certain health-data processing under Code de la santé publique) and Germany (for certain census and statistical processing under federal law) — have enacted Article 36(5) prior-authorisation regimes. Controllers subject to these regimes must comply with the national law in addition to the baseline Article 36(1)–(3) GDPR obligations.

## Enforcement landscape and fine exposure

Failure to consult the supervisory authority when required under Article 36(1), or commencing processing before the consultation is complete, is an infringement of Article 36 GDPR and subject to administrative fines under Article 83(4)(a) GDPR — up to €10 million or 2 % of total worldwide annual turnover, whichever is higher. The EDPB's January 2024 Coordinated Enforcement Action on DPO designation and position (which also reviewed DPIA and Article 36 compliance) found that many controllers either (1) failed to conduct a DPIA when required, (2) conducted an inadequate DPIA that did not correctly assess residual risk, or (3) proceeded with high-risk processing without consulting the supervisory authority. The EDPB noted that Article 36 non-compliance is often accompanied by other infringements — failure to establish a lawful basis (Art. 6), breach of transparency (Art. 13/14), inadequate security (Art. 32), or unlawful cross-border transfers (Chapter V) — and supervisory authorities frequently impose cumulative fines for multiple violations arising from the same processing operation.

The CNIL imposed a €90 million fine on Google Ireland in December 2020 (upheld on appeal in 2022) for processing personal data for advertising purposes without a valid legal basis and without conducting a DPIA or Article 36 consultation when high-risk profiling was involved. The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued a €35.3 million fine against H&M in October 2020 for systematic monitoring of employees without a DPIA or prior consultation, citing Article 36 non-compliance as an aggravating factor. The Spanish Agencia Española de Protección de Datos (AEPD) fined a telecommunications operator €8 million in 2021 for deploying a customer-profiling system that met the Article 35 DPIA threshold and showed high residual risk but proceeded without Article 36 consultation.

Source: Regulation (EU) 2016/679 (GDPR), Article 36 Source: Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, WP248 rev.01, endorsed by EDPB Source: EDPB 2023 Coordinated Enforcement Action on DPO Designation and Position, January 2024

Article 39 GDPR specifies the mandatory minimum tasks that every Data Protection Officer must perform, whether the DPO was designated because of the Article 37(1) triggers or voluntarily. These tasks are the functional core of the DPO role and define what it means to act as a DPO under the GDPR. The DPO does not make the data-processing decisions (that is the controller's or processor's responsibility), but the DPO informs, advises, monitors, and serves as the contact point for the supervisory authority and for data subjects.

Article 39(1) GDPR provides:

> "The data protection officer shall have at least the following tasks: > (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; > (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; > (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; > (d) to cooperate with the supervisory authority; [and] > (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter."

The phrase "at least" in Article 39(1) is significant: these five categories are the mandatory minimum; the DPO may be assigned other tasks under Article 39(2), provided those tasks do not create a conflict of interest under Article 38(6) GDPR.

## Task (a): inform and advise the controller, processor, and employees

The DPO must inform and advise the controller or processor—and the employees who carry out processing—of their GDPR obligations and of other Union or Member State data-protection provisions. This task is proactive, not merely reactive. The Article 29 Working Party Guidelines on Data Protection Officers (WP243 rev.01, endorsed by the EDPB in May 2018) clarify that the DPO should provide timely and independent advice; the controller or processor must consult the DPO on data-protection questions, but the DPO is not obliged to wait to be asked—the DPO can and should advise proactively when the DPO identifies compliance gaps or new processing risks.

Informing includes raising awareness of GDPR obligations (purpose limitation, data minimization, lawful bases, transparency, security, breach notification) through training sessions, internal bulletins, policy documentation, and direct communication with business units. Advising includes providing specific recommendations on how to comply with those obligations in the context of the organization's actual processing activities—for example, advising on whether a particular processing operation requires consent under Article 6(1)(a) or can rely on legitimate interests under Article 6(1)(f), or advising on the appropriate retention period under Article 5(1)(e).

The advisory duty extends to "other Union or Member State data protection provisions" beyond the GDPR itself—for example, the ePrivacy Directive (Directive 2002/58/EC as amended), Member State derogations under GDPR Article 9(2)(g)–(j) for special-category data, Article 88 national laws on employment processing, or sector-specific rules (telecommunications, health, financial services). The DPO is expected to have expertise in the full regulatory landscape that applies to the organization's processing.

The EDPB's January 2024 Coordinated Enforcement Action on DPO Designation and Position found that only a median of 22.54 % of surveyed organizations involved the DPO all of the time in handling data-protection issues. This systematic under-consultation undermines the Article 39(1)(a) task. The EDPB noted that controllers must structurally involve the DPO at the design stage of processing operations, not only at the end when compliance issues have already materialized.

## Task (b): monitor compliance with GDPR and data-protection policies

The DPO must monitor compliance with the GDPR, with other Union or Member State data-protection provisions, and with the controller's or processor's own data-protection policies. Article 39(1)(b) specifically lists four sub-tasks within the monitoring function:

1. Assignment of responsibilities — ensuring that the controller or processor has clearly defined who is responsible for data-protection compliance (senior management, data-protection coordinators, business-unit heads, IT teams);
2. Awareness-raising — promoting a culture of data protection within the organization through campaigns, newsletters, intranet resources, or executive briefings;
3. Training of staff involved in processing operations — delivering GDPR training tailored to different roles (HR, marketing, IT, customer service, legal); and
4. Related audits — conducting or supervising internal audits, compliance reviews, or spot checks to verify that processing activities align with GDPR obligations and internal policies.

Monitoring does not mean the DPO performs the processing operations. The controller or processor remains responsible under Article 5(2) GDPR (accountability) for demonstrating compliance. The DPO's monitoring role is oversight and verification: the DPO checks that the organization has implemented appropriate technical and organizational measures (Article 32), maintains accurate Records of Processing Activities (Article 30), conducts DPIAs when required (Article 35), and respects data-subject rights (Articles 15–22).

WP243 rev.01 clarifies that the DPO may report directly to the highest management level (board of directors, CEO, executive committee) on the state of compliance. This reporting line is essential for the DPO's independence under Article 38(3) and ensures that data-protection issues are escalated when necessary. The EDPB's 2024 enforcement report found that in many organizations, DPOs lacked sufficient access to senior management and were not routinely consulted before decisions with data-protection implications were finalized.

## Task (c): advise on DPIAs and monitor their performance

The DPO must provide advice where requested as regards the Data Protection Impact Assessment (DPIA) and must monitor its performance pursuant to Article 35 GDPR. This task has two components:

1. Advisory role: The controller must seek the advice of the DPO when carrying out a DPIA (Article 35(2) GDPR). The DPO does not write the DPIA (that is the controller's obligation under Article 35(1)), but the controller must consult the DPO on the scope of the DPIA, the necessity and proportionality analysis, the risk assessment, and the proposed mitigation measures. If the DPO's advice is not followed, WP243 rev.01 recommends that the controller document the reasons for departing from the DPO's recommendations. The DPIA itself should record that the DPO was consulted and summarize the DPO's advice.

1. Monitoring role: The DPO must monitor whether the DPIA was actually carried out when required under Article 35, whether the DPIA methodology meets the Article 35(7) requirements (systematic description, necessity and proportionality assessment, risk assessment, mitigation measures), and whether the controller implements the mitigation measures identified in the DPIA. This is an ongoing task: the DPO should verify that DPIAs are reviewed and updated when the processing changes (Article 35(11) GDPR).

The EDPB's enforcement report (January 2024) identified a widespread problem: DPOs were sometimes performing the DPIA themselves, rather than advising and monitoring. This creates a conflict of interest under Article 38(6) GDPR, because the DPO would then be reviewing and monitoring the DPO's own work. The CJEU's judgment in X-FAB Dresden GmbH & Co. KG (C-453/21, 9 February 2023) reinforced that a DPO cannot be entrusted with tasks or duties which would result in determining the purposes and means of processing; performing the DPIA is determining those purposes and means. The DPO's role is to advise and monitor, not to decide.

## Task (d): cooperate with the supervisory authority

The DPO must cooperate with the supervisory authority. This task is deliberately broad. It includes:

• Responding to requests from the supervisory authority for information, documentation, or access to the controller's or processor's premises during an investigation (Article 58(1) investigative powers);
• Facilitating inspections, audits, or on-site visits by the supervisory authority;
• Providing the supervisory authority with the Records of Processing Activities (Article 30(4) GDPR: "the controller or the processor … shall make the record available to the supervisory authority on request");
• Submitting the controller's or processor's DPIA for prior consultation under Article 36 when high residual risk remains after mitigation;
• Reporting personal data breaches to the supervisory authority under Article 33 (though the controller is the entity responsible for the notification, Article 33(1), the DPO typically coordinates the breach-notification process);
• Participating in consultations, working groups, or sector-specific initiatives organized by the supervisory authority.

The DPO's cooperation duty does not override the controller's or processor's own obligations under Article 31 GDPR (cooperation with the supervisory authority) or the controller's liability under Article 33–34 for breach notification. The DPO facilitates cooperation but does not substitute for the controller's or processor's legal responsibilities.

## Task (e): act as contact point for the supervisory authority and consult on other matters

The DPO must act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 GDPR, and to consult, where appropriate, with regard to any other matter. This makes the DPO the primary interlocutor between the organization and the supervisory authority on data-protection questions.

Contact-point role means the supervisory authority can direct questions, requests, notices, or enforcement decisions to the DPO, and the DPO must relay those communications to the controller or processor. The DPO must be easily accessible (Recital 97 GDPR). Article 37(7) GDPR requires the controller or processor to publish the contact details of the DPO and communicate them to the supervisory authority. Many supervisory authorities maintain a DPO register (for example, in Germany, Austria, France, and Italy); controllers and processors subject to the Article 37 designation obligation must register the DPO's contact details with the competent supervisory authority.

Prior consultation under Article 36 is explicitly mentioned in Article 39(1)(e). When the DPIA reveals that processing would still result in high risk even after mitigation measures, the controller must consult the supervisory authority before commencing the processing (Article 36(1) GDPR). The DPO is the point of contact for that consultation: the DPO submits the consultation request (containing the information specified in Article 36(3)), communicates with the supervisory authority during the eight-week (or 14-week) response period, and ensures that the controller follows the supervisory authority's written advice or documents the reasons for not doing so.

"Consult, where appropriate, with regard to any other matter" is a catch-all that allows the DPO to seek guidance from the supervisory authority on novel or complex data-protection questions—for example, whether a particular data-processing operation falls under the GDPR's territorial scope (Article 3), whether a cross-border transfer mechanism is adequate under Chapter V, or how to interpret a recent CJEU judgment or EDPB guideline. The phrase "where appropriate" means the DPO exercises judgment about when supervisory-authority input would be useful, but the DPO is encouraged to consult proactively rather than wait until a compliance issue has escalated.

## Task (e) alternative reading: contact point for data subjects

Article 39(1)(e) also requires the DPO to act as contact point for the supervisory authority. Some GDPR translations and Recital 97 have been read to imply that the DPO is also the contact point for data subjects on issues relating to their personal data (access requests, erasure requests, objections, complaints). Article 13(1)(b) and Article 14(1)(b) GDPR require the controller to provide data subjects with the contact details of the DPO, where applicable, which supports the view that data subjects may contact the DPO.

The Article 29 Working Party clarified in WP243 rev.01 that the DPO may be the first point of contact for data subjects exercising their rights under Articles 15–22 GDPR, but the controller remains responsible for responding to those requests within the Article 12(3) one-month deadline. The DPO can facilitate the process (routing the request to the correct business unit, advising the controller on how to respond, monitoring compliance with the deadline), but the DPO does not decide whether to grant or refuse the request—that is the controller's decision.

## Other tasks and duties — Article 39(2) GDPR

Article 39(2) GDPR permits the DPO to "fulfil other tasks and duties" beyond the Article 39(1) minimum. The controller or processor must ensure that any such additional tasks do not result in a conflict of interests (Article 38(6) GDPR).

Permissible additional tasks might include: acting as the organization's representative on data-protection networks or industry forums; drafting or updating the organization's privacy policy or privacy notices; coordinating GDPR-compliance projects (e.g., implementing a new data-subject-rights portal or deploying encryption); or advising on contracts with processors under Article 28.

Impermissible additional tasks that create a conflict of interest include: determining the purposes and means of processing (a core controller function under Article 4(7) GDPR); serving in senior management positions (CEO, COO, CFO, Head of HR, Head of IT, Head of Marketing) where the person decides what data to collect and how to use it; or performing operational tasks (e.g., running the marketing-automation platform, managing the HR database) that the DPO would then be expected to monitor or audit. The CJEU in X-FAB Dresden (C-453/21, 9 February 2023) held that functional independence requires that the DPO review purposes and means independently; combining the DPO role with a decision-making role is an impermissible conflict.

## Controller and processor duties to support the DPO — Article 38(2) GDPR

The DPO cannot perform the Article 39 tasks without organizational support. Article 38(2) GDPR requires the controller and processor to support the data protection officer in performing the tasks referred to in Article 39 by:

• Providing resources necessary to carry out those tasks — sufficient time (DPOs need adequate hours to perform the monitoring, advisory, and training functions; part-time DPOs must have enough capacity), financial budget (for training, privacy-management tools, legal subscriptions, external audits), and personnel (a DPO may have a team or data-protection coordinators);
• Providing access to personal data and processing operations — the DPO must be able to see what data is being processed, how it flows through the organization, what third parties receive it, and what security measures are in place; without access, the DPO cannot monitor compliance;
• Enabling the DPO to maintain his or her expert knowledge — the DPO must stay current with GDPR case law (CJEU judgments), EDPB guidelines, national supervisory-authority guidance, and technological developments (AI, biometrics, cloud architectures); the controller or processor must fund continuing education, conferences, certifications, and subscriptions.

The EDPB's 2024 enforcement report found that a median of 17 % of surveyed organizations reported that the DPO did not have the necessary resources to carry out the Article 39 tasks. Resource constraints are a persistent compliance gap that undermines the DPO's effectiveness and exposes the controller or processor to liability under Article 83(4)(a) GDPR (administrative fines up to €10 million or 2 % of worldwide annual turnover for infringement of Articles 38–39).

## Relationship to other GDPR obligations

The DPO's Article 39 tasks enable but do not replace the controller's and processor's own GDPR obligations. The controller must still:

• Ensure lawful bases for processing (Article 6);
• Conduct DPIAs when required (Article 35);
• Notify personal data breaches to the supervisory authority (Article 33) and to data subjects (Article 34);
• Respond to data-subject-rights requests (Articles 15–22);
• Maintain Records of Processing Activities (Article 30);
• Implement technical and organizational security measures (Article 32);
• Demonstrate accountability (Article 5(2)).

The DPO advises, monitors, and facilitates compliance with these obligations but does not discharge them. If the controller ignores the DPO's advice and proceeds with unlawful processing, the controller—not the DPO—is liable under Article 83 for the infringement.

## Enforcement and fine exposure

Failure to designate a DPO when required (Article 37), failure to ensure the DPO has the Article 38 position and resources, or failure to ensure the DPO performs the Article 39 tasks are infringements subject to administrative fines under Article 83(4)(a) GDPR — up to €10 million or 2 % of total worldwide annual turnover, whichever is higher.

The EDPB's January 2024 enforcement report noted that over 700,000 organizations across the EEA have registered DPOs, but identified systemic deficiencies in how DPOs are positioned and resourced. Common problems included: DPOs not involved in decisions with data-protection implications; DPOs given conflicting operational duties; DPOs lacking access to senior management; DPOs not consulted on DPIAs; and DPOs insufficiently resourced for training and monitoring tasks. Supervisory authorities issued corrective orders and warnings, and several formal enforcement actions remain ongoing as of June 2026.

Source: Regulation (EU) 2016/679 (GDPR), Article 39 Source: Article 29 Working Party, Guidelines on Data Protection Officers (DPO), WP243 rev.01, endorsed by EDPB Source: EDPB, 2023 Coordinated Enforcement Action on DPO Designation and Position, January 2024 Source: CJEU judgment, X-FAB Dresden GmbH & Co. KG, C-453/21, 9 February 2023

Article 39 GDPR sets out the mandatory tasks of the Data Protection Officer (DPO). Once designated under Article 37, the DPO must perform these statutory duties regardless of whether designation was mandatory or voluntary. The tasks are not optional; they define the core statutory function of the DPO and are enforceable by supervisory authorities. Controllers and processors must support the DPO in performing these tasks (Art. 38(2) GDPR), but the DPO must not be instructed as to how to perform them or what conclusions to reach (Art. 38(3) GDPR).

## The four core tasks — Article 39(1) GDPR

Article 39(1) GDPR provides that the DPO "shall have at least the following tasks":

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

The DPO's informing and advising role is foundational. The Article 29 Working Party Guidelines on Data Protection Officers (WP243 rev.01, endorsed by the EDPB) clarify that this task encompasses proactive information provision — raising awareness of GDPR obligations among staff through training, briefings, and updates — and reactive advice on specific matters when the controller or processor is making decisions with data-protection implications (launching a product, choosing a lawful basis under Article 6, entering a processor agreement under Article 28).

The obligation extends to "other Union or Member State data protection provisions," including the ePrivacy Directive (Directive 2002/58/EC as amended), national derogations under GDPR (e.g., Art. 9(2)(g)–(j) for special-category data, Art. 88 employment processing), sector-specific rules (Directive (EU) 2016/680 for law-enforcement processing), and any national data-protection legislation enacted under the GDPR's Member State openings.

The employees who carry out processing include all staff whose work involves personal data: IT administrators, HR personnel, marketing teams, customer-service representatives, data analysts, and third-party data processors acting on the controller's behalf. WP243 emphasises that the DPO should be involved from the earliest stage in any project that involves personal data (Art. 38(1) GDPR).

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

The DPO's monitoring function is ongoing and risk-based. Article 39(2) GDPR states that "the data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing." The DPO does not conduct processing operations or decide whether to launch a processing activity — those are controller or processor responsibilities. Instead, the DPO observes, reviews, and reports on compliance.

WP243 clarifies the scope of monitoring:

• Audit and review — the DPO may conduct internal audits or request audit reports. The DPO must have access to personal data and processing operations (Art. 38(2) GDPR) in order to verify compliance.
• Responsibility mapping — the DPO monitors whether the controller has properly assigned responsibilities for data protection within the organisation (e.g., who responds to data-subject-rights requests under Articles 15–22, who handles breach notification under Articles 33–34).
• Awareness-raising and training — the DPO monitors whether the controller or processor has trained staff on GDPR obligations and flags gaps when staff are unaware of transparency (Arts. 13/14), security (Art. 32), or other core obligations.
• Compliance with internal policies — many controllers adopt internal data-protection policies, codes of conduct, or binding corporate rules (BCRs). The DPO monitors adherence to these internal standards in addition to GDPR itself.

The EDPB's January 2024 Coordinated Enforcement Action on DPO Designation and Position found that monitoring compliance was frequently under-resourced and that controllers must enable the DPO by providing access, time, and tools.

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

The DPO's DPIA advisory and monitoring role is expressly linked to Article 35 GDPR. Article 35(2) GDPR requires that "the controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment." The controller must consult the DPO; it is not optional. The DPO's role includes:

• Advice on whether a DPIA is required — when the controller is unsure whether processing meets the Article 35(1) high-risk threshold or is covered by the supervisory authority's DPIA lists under Article 35(4).
• Advice on DPIA methodology — ensuring that the four mandatory elements under Article 35(7) are addressed: systematic description of processing, necessity and proportionality analysis, risk assessment, and mitigation measures.
• Review of the DPIA output — the DPO reviews the completed DPIA to determine whether the controller has correctly identified and assessed risks and whether the proposed safeguards are adequate. If the DPIA reveals high residual risk, the DPO advises the controller that prior consultation with the supervisory authority under Article 36 is mandatory.
• Monitoring DPIA performance — the DPO monitors whether the controller actually implements the mitigation measures documented in the DPIA and whether the DPIA is reviewed and updated when the risk changes (Art. 35(11) GDPR).

WP243 makes clear that the DPO does not perform the DPIA — that is the controller's obligation under Article 35(1). However, the controller may involve the DPO in carrying out the DPIA, provided this does not create a conflict of interest. The CJEU's judgment in X-FAB Dresden GmbH & Co. KG (C-453/21, 9 February 2023) clarified that a DPO cannot be entrusted with tasks or duties that would result in determining the purposes and means of processing — the DPO's functional independence requires that the DPO review those purposes and means independently.

(d) to cooperate with the supervisory authority;

The DPO is the point of contact between the controller or processor and the supervisory authority. WP243 states that cooperation under Article 39(1)(d) includes:

• Responding to supervisory-authority requests — when the supervisory authority exercises its investigative, corrective, or advisory powers under Article 58 GDPR, the DPO facilitates the response. For example, when the authority requests the Records of Processing Activities under Article 30(4) or requests information under Article 58(1)(a), the DPO coordinates the submission.
• Serving as the contact point — Article 37(7) GDPR requires the controller or processor to publish the contact details of the DPO and to communicate them to the supervisory authority. The supervisory authority will ordinarily direct its inquiries, audits, and consultation requests to the DPO.
• Prior consultation under Article 36 — when the controller must consult the supervisory authority before commencing high-risk processing, the DPO typically prepares and submits the Article 36 consultation request and liaises with the authority during the eight-week (or 14-week) review period.
• Breach notification support — although the controller is responsible for notifying the supervisory authority of a personal data breach under Article 33 GDPR, the DPO plays a central role in assessing whether the breach meets the notification threshold, drafting the notification, and ensuring it is submitted within the 72-hour deadline from when the controller became aware of the breach.

The EDPB's 2024 Coordinated Enforcement Action noted that in many organisations the DPO was not consulted promptly after a breach occurred, resulting in late or incomplete notifications.

(e) to act as the contact point for data subjects on all issues related to processing of their personal data and to the exercise of their rights under this Regulation.

The DPO is the data-subject-facing contact for privacy inquiries and rights requests. This does not mean the DPO must personally respond to every request — controllers often designate a customer-service team or a dedicated rights-request inbox — but the DPO must be reachable by data subjects and must oversee the rights-request process to ensure compliance.

WP243 clarifies that:

• Data subjects may contact the DPO for information about how their data is processed, for assistance in exercising rights (access under Article 15, rectification under Article 16, erasure under Article 17, restriction under Article 18, portability under Article 20, objection under Article 21, and safeguards against automated decision-making under Article 22), or to lodge internal complaints before escalating to the supervisory authority.
• The DPO advises on rights-request handling — the controller remains responsible for responding to data-subject requests within the Article 12(3) GDPR one-month deadline (extendable by two further months for complex or numerous requests). The DPO monitors whether the controller's rights-request workflow complies with GDPR and advises on edge cases.
• Publishing contact details — Article 37(7) GDPR requires the controller to publish the contact details of the DPO, typically in the privacy notice, on the website, and in any data-subject communication materials.

The EDPB's 2024 enforcement findings showed that in some organisations the DPO contact details were not published or were difficult for data subjects to find, breaching Article 37(7) and undermining the Article 39(1)(e) contact-point function.

## The DPO does not decide — the controller remains accountable

A critical point emphasised in WP243 and confirmed by the CJEU in X-FAB Dresden is that the DPO does not have decision-making powers extending beyond the Article 39 tasks. The DPO informs, advises, monitors, and cooperates, but the controller or processor decides whether to proceed with a processing operation, which lawful basis to rely on, how to respond to a data-subject request, and whether to accept the risk identified in a DPIA.

Article 5(2) GDPR (the accountability principle) places the burden of demonstrating compliance on the controller, not the DPO. If the controller disregards the DPO's advice and proceeds with processing that the DPO has flagged as non-compliant, the controller bears the enforcement and liability risk. WP243 recommends, as good practice, that controllers document the reasons for not following the DPO's advice, so that the decision trail is transparent in any subsequent audit or investigation.

## Support, resources, and access — Article 38(2) GDPR

Article 38(2) GDPR obliges the controller and processor to "support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge." This obligation is enforceable and frequently cited by supervisory authorities. The EDPB's 2024 Coordinated Enforcement Action found that insufficient resourcing — no dedicated time for DPO duties, no budget for training or tools, no access to processing systems — was the most common impediment to effective DPO functioning.

WP243 specifies that resources include:

• Active support from management — the DPO must be able to escalate issues to the highest management level and must be involved properly and in a timely manner in all decisions that affect data protection (Art. 38(1) GDPR).
• Sufficient time — if the DPO role is combined with other duties (permitted under Article 38(6), provided no conflict of interest arises), the controller must ensure the DPO has adequate time to perform the Article 39 tasks.
• Financial resources — budget for DPO training, attendance at supervisory-authority workshops, subscription to legal-update services, and, where the organisation is large or processing is complex, budget for a DPO team or external consultants.
• Access to processing operations and personal data — the DPO cannot monitor compliance (Art. 39(1)(b)) without being able to see what is being processed. Controllers must grant the DPO access to data systems, Records of Processing Activities (Art. 30), data-processing agreements (Art. 28), DPIAs (Art. 35), and any other documentation needed to perform the Article 39 tasks.

Failure to provide these resources is a breach of Article 38(2) GDPR and subject to administrative fines under Article 83(4)(a) — up to €10 million or 2 % of total worldwide annual turnover, whichever is higher.

## Enforcement landscape and EDPB findings

The EDPB's January 2024 Coordinated Enforcement Action on DPO Designation and Position surveyed over 700,000 registered DPOs across the EEA and identified persistent compliance gaps: many organisations designated a DPO but did not formally assign all five tasks under Article 39(1); DPOs lacked access to processing operations and were not consulted on new projects until after processing had commenced; DPOs were excluded from senior management meetings; many DPOs had no dedicated time for DPO duties, no training budget, and no administrative support; and in some organisations the DPO also held a senior management position that involved determining the purposes and means of processing, creating an Article 38(6) conflict of interest.

The EDPB recommended that supervisory authorities step up enforcement on DPO position and tasks, and that controllers document how the DPO performs each Article 39 task.

Source: Regulation (EU) 2016/679 (GDPR), Article 39 Source: Article 29 Working Party, Guidelines on Data Protection Officers (WP243 rev.01), endorsed by EDPB Source: EDPB 2023 Coordinated Enforcement Action on DPO Designation and Position, January 2024 Source: CJEU judgment X-FAB Dresden, C-453/21, 9 February 2023