The DPO is not the controller: the DPO advises and supervises. The controller (or processor) still decides purposes and means. Confusing the DPO with an executive role is one of the most common mistakes.
What a DPO is
A DPO (Data Protection Officer) is the role responsible for overseeing GDPR compliance within an organization. The DPO informs and advises management on legal obligations, monitors compliance with the regulation, cooperates with the supervisory authority (in Spain the AEPD) and acts as the point of contact for data subjects. Functional independence is explicitly protected by Article 38 of the GDPR: the DPO cannot receive instructions on how to exercise the role and cannot be sanctioned for decisions taken within that scope.
Why it matters
GDPR requires a DPO in three cases: when the processing is carried out by a public authority or body, when core activities require systematic monitoring of individuals on a large scale, or when special categories of data (health, biometrics, ideology, etc.) are processed at scale. Beyond the legal obligation, a properly empowered DPO helps avoid administrative fines that can reach 4% of global turnover. Under NIS2 and DORA, the DPO is also the piece that connects data protection duties with cybersecurity and operational resilience requirements, ensuring teams speak a common language.
Key points
The DPO can be internal or external. In SMBs an external DPO (legal firm or specialized consultancy) is common due to cost and the scarcity of internal legal expertise. In large organizations the DPO is usually internal or a team.
Independence is legal, not negotiable. The DPO must report to the highest management level and have the resources to do the job. If the organization instrumentalizes or sanctions the DPO for doing the work, the supervisory authority can intervene.
DPO and CISO are complementary, not interchangeable. The DPO focuses on privacy and data subject rights; the CISO on technical and organizational security. In a personal data breach, both coordinate response and notification.
Example: data breach with personal data
An e-commerce company detects exfiltration of its customer database (names, emails, addresses, order history). The CISO triggers incident response and contains the breach. In parallel, the DPO assesses whether the data is personal and of which category, determines whether the breach poses a risk to the rights and freedoms of those affected, decides whether notification to the supervisory authority is required within 72 hours of detection (Article 33 GDPR) and whether individual communication to data subjects is required (Article 34). Documents everything in the mandatory breach register. Without a DPO, organizations frequently miss deadlines or communicate incorrectly, multiplying the regulatory risk.
Common mistakes
- Appointing a DPO 'just to comply' without giving them resources, training or access to information needed to perform the role. Supervisory authorities have sanctioned this kind of nominal appointment.
- Confusing the DPO with a general compliance officer or in-house counsel. They are distinct roles with specific regulation and obligations.
- Not involving the DPO in new projects until they are nearly final. GDPR requires involvement from the design stage (Article 25, privacy by design). Late involvement multiplies remediation cost.
- Publishing the DPO contact only in legal notice pages and not in places accessible to data subjects (forms, emails, privacy policy). GDPR requires facilitating the exercise of rights, not hiding it.
Related terms
Related services
This concept may relate to services such as:
Frequently asked questions
Does every company need a DPO?
No. It is only mandatory in the three cases of GDPR Article 37: public bodies, processing that requires systematic monitoring of individuals at scale, or large-scale processing of special categories of data. Outside those cases the DPO can still be appointed voluntarily, but independence requirements apply equally.
Can the DPO be internal or must it be external?
Both are legal. An internal DPO knows the organization better; an external one brings legal independence and specialization. In SMBs the external option is common because of cost and the difficulty of finding internal profiles with the required qualifications.
What qualifications does a DPO need?
GDPR requires 'expert knowledge of data protection law and practice'. There is no single mandatory degree, but the Spanish supervisory authority recognizes certification schemes for DPOs issued by ENAC-accredited bodies. In practice, legal profiles with experience in privacy and compliance are the most common.