Profile of the DPO


The DPO is a professional whose functions are indicated in Article 39 of Regulation (EU) 679/2016, and deals with the application of the legislation on privacy and data protection.

The Data Protection Officer will have at least the following functions: 


a)                          inform and advise the controller or processor and the employees involved in the handling of their obligations under the Regulation and other data protection provisions of the Union or of the Member States;

b)                         monitor compliance with the provisions of the Regulation, other data protection provisions of the Union or the Member States and the policies of the data controller or data processor in relation to the protection of personal data,

c)                          supervise the assignment of responsibilities,,

d)                         supervise the awareness and training of the personnel participating in the treatment operations

e)                         supervise the corresponding audits;

f)                           offer the advice requested about the impact assessment regarding data protection

g)                          monitor its application in accordance with Article 35 of the Regulations;

h)                         cooperate with the supervisory authority;

i)                           act as the contact point of the supervisory authority for matters relating to processing, including the prior consultation referred to in Article 36, and

j)                           make inquiries to the supervisory authority, as the case may be, about any other matter.


The data protection officer will perform his duties by paying due


attention to the risks associated with the treatment operations, taking into account the nature, scope, context and purposes of the treatment.


For this you must be able to:


a)       collect information to determine treatment activities,

b)      analyze and verify the compliance of the treatment activities, and

c)       inform, advise and issue recommendations to the person in charge or the person in charge of the treatment.

d)      collect information to supervise the registration of treatment operations.

e)      advise on the application of the principle of data protection by design and by default.

f)        advise on:• whether or not an impact assessment of data protection should be carried out


• what methodology should be followed when conducting an impact assessment of data protection


• whether the impact assessment of data protection with own resources or with outsourcing should be carried out


• what safeguards (including technical and organizational measures) to apply to mitigate any risk to the rights and interests of those affected


• whether the impact assessment of data protection has been carried out correctly or not


• if your conclusions (whether to proceed or not with the treatment and what safeguards apply) are in accordance with the Regulation.


g)       prioritize their activities and focus their efforts on those issues that present the greatest risks related to data protection.

h)      advise the controller on:


• what methodology to use when carrying out an impact assessment of data protection,


• which areas should undergo internal or external data protection audit,


• what internal training activities to provide the staff or directors responsible for the data processing activities and to which treatment operations to devote more time and resources.