GDPR Article 39: DPO Tasks Explained (Full List)

In one sentence. GDPR Article 39 lists the six mandatory tasks of the Data Protection Officer: (a) inform and advise on GDPR obligations, (b) monitor compliance and assign responsibilities, © advise on and monitor DPIAs, (d) cooperate with the supervisory authority, (e) act as contact point for the supervisory authority, (f) consult the supervisory authority on prior consultation matters. The DPO performs these tasks with due regard to risk associated with processing operations. Official text: EUR-Lex Regulation (EU) 2016/679, Article 39.

The DPO is not the controller — they advise. Article 38 protects DPO independence; Article 37 sets designation criteria; Article 39 defines what the DPO actually does. EDPB Guidelines WP243 rev.01 remain the authoritative interpretation.

Key takeaways

• 6 mandatory tasks under Article 39(1)(a)-(f).
• DPO tasks performed with due regard to risk (Article 39(2)).
• DPO is not personally liable for GDPR compliance — the controller is.
• Independence and no-conflict-of-interest rules under Article 38.
• DPO contact must be in privacy notice and ROPA (Articles 13, 14, 30).
• Sanctions for failure to designate (Article 37) or interfere (Article 38): Article 83(4) — up to €10M / 2%.

1. Article 39 official text

Article 39 — Tasks of the data protection officer

1. The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; © to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter; (f) in performing his or her tasks, the data protection officer shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

2. Task (a) — Inform and advise

The DPO advises:

• Senior management (board level — required by EDPB)
• Operational teams handling personal data
• IT, HR, marketing, sales — wherever processing occurs

Output: written advisory notes, training sessions, RFC reviews of new processing.

3. Task (b) — Monitor compliance

Active monitoring includes:

• Maintaining the ROPA (or supervising it)
• Auditing processors (Article 28)
• Training programme oversight
• Internal compliance audits with documented findings
• KPIs and dashboards

The DPO is the second line of defence — they monitor, they don’t operate.

4. Task © — Advise on and monitor DPIAs

Article 35(2): the controller shall seek advice of the DPO when carrying out a DPIA. The DPO:

• Advises on whether a DPIA is required (EDPB WP248rev.01 nine criteria)
• Reviews DPIA methodology and conclusions
• Tracks remediation actions

5. Task (d) — Cooperate with the supervisory authority

Operational obligations:

• Respond to DPA inquiries and information requests
• Provide records (ROPA, DPIA, breach log) on request
• Facilitate inspections
• Collaborate on investigations following complaints

6. Task (e) — Contact point for the supervisory authority

Article 39(1)(e) makes the DPO the single point of contact for:

• Prior consultation under Article 36
• Routine queries
• Inspection scheduling

DPO contact must be published in the privacy notice (Articles 13/14) and communicated to the DPA (Article 37(7)).

7. Task (f) implicit — Data subject contact point

Article 38(4): “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data”. The DPO is therefore also the contact point for DSARs, complaints, and rights requests.

8. Independence and protection (Article 38)

• No instructions on how to perform tasks (Article 38(3))
• Cannot be dismissed or penalised for performing tasks
• Reports directly to highest management
• No conflict of interest with other functions
• Resources and access provided (Article 38(2))

Forbidden combinations: DPO + CISO, DPO + IT director, DPO + HR director, DPO + CEO (per EDPB WP243rev.01 and DPA decisions).

9. Internal vs external DPO

Aspect	Internal	External
Cost	€60-€120k/year salary	€1,500-€8,000/month retainer
Knowledge	Deep org context	Cross-sector benchmarks
Independence	Risk of conflict	Naturally independent
Availability	Full-time	Shared time
Compliance	Same Article 39 obligations	Same Article 39 obligations

For SMEs, external DPO is typical. For large groups, internal DPO with team.

10. Sanctions and enforcement

Article 83(4)(a) — up to €10M or 2% of global turnover — covers Article 37 (designation), 38 (position) and 39 (tasks) violations.

Notable cases:

• DLT Centrum Wschód (Polish UODO 2020): conflict of interest sanctioned
• Multiple French cases: failure to designate
• Italian construction firm (Garante 2021): DPO contact not published

11. Implementation checklist

1. Confirm whether DPO is mandatory (Article 37(1))
2. Designate DPO and notify DPA (within 30 days of appointment)
3. Publish DPO contact in privacy notice (Articles 13/14)
4. Resource the DPO: time, budget, access
5. Reporting line to top management documented
6. Tasks (a)-(f) operationalised with workflows
7. Annual DPO activity report to board

12. Tooling

Legiscope provides DPO workspace: ROPA monitoring, DPIA queue, DSAR handling, breach log, processor audit tracker, training records. Built for both internal and external DPO mandates.

FAQ

What are the 6 tasks of a DPO under GDPR Article 39?

(a) Inform and advise on GDPR obligations, (b) Monitor compliance, © Advise on and monitor DPIAs, (d) Cooperate with the supervisory authority, (e) Act as contact point for the supervisory authority, (f) Perform tasks with due regard to risk.

Is the DPO personally liable for GDPR compliance?

No. The controller is accountable (Article 24). The DPO advises and monitors; they are not personally liable for the controller’s breaches. They can however be held accountable for breach of their own employment or contractual duties.

Can the CISO be the DPO?

EDPB WP243rev.01 and several DPA decisions consider CISO/IT director/HR director combinations as conflicts of interest — those functions decide how processing occurs, and the DPO must independently monitor those decisions.

Does the DPO handle DSARs?

Article 38(4) makes the DPO the contact point for data subjects on all processing issues. In practice the DPO oversees or operates the DSAR process per Articles 15-22.

What’s the sanction for failing to appoint a DPO?

Up to €10M or 2% of global turnover (Article 83(4)(a)). Multiple national cases have reached six-figure sanctions for missing or improperly positioned DPOs.