Information Security

What are the duties of a Data Protection Officer?

A Data Protection Officer (FG) is the designated person within an organization to oversee compliance with The General Data Protection Regulation (AVG). In this article you will read all about the duties and responsibilities of the FG, when an FG is mandatory and what an FG can do in your organization.
This article was last updated on
31/10/2024

‍Whatare the duties of a Data Protection Officer?

A Data Protection Officer has several duties:

  • Inform and advise:
    The FG collects information about data processing operations within an organization, analyzes these operations to assess their compliance with the AVG, and provides advice and recommendations to the organization.
  • Internal oversight:
    The FG oversees internal compliance with the AVG and other relevant privacy laws, such as European laws and regulations.
  • Advising on DPIA:
    The FG advises on conducting a Data Protection Impact Assessment (DPIA), a process to identify and assess privacy risks of data processing operations.
  • Working with the Personal Data Authority (AP):
    The FG works with the Personal Data Authority (AP) and is the contact person for issues such as audits and reports.

‍Whenis a Data Protection Officer mandatory?

An FG must be registered with the AP. This way, the AP knows who to turn to for matters regarding the AVG. Based on Article 37 of the AVG, it is mandatory to appoint an FG in the following cases:

  1. Governments and public organizations
    All government agencies and public organizations, including state governments, municipalities and educational institutions, are required to appoint an FG. It does not matter what their core activities are or the type of personal data they process.
  2. Regular observation on a large scale
    When an organization's core business is to regularly observe individuals on a large scale. Examples include making risk assessments, camera surveillance, using employee tracking systems, and monitoring a person's health through wearable devices (wearables).

    Determining whether this is considered a core activity depends on the number of people an organization tracks, the amount of data it processes and how long the organization tracks people.
  3. Processing a lot of special personal data
    When an organization processes a lot of special personal data, it is mandatory to appoint an FG. Think of medical data at hospitals or criminal data at courts.

Data protection officer in your organization

The FG must be able to work independently in your organization. In addition, the FG must have enough time and resources for his work. Consider the following things an FG needs:

  • Active support from management
  • Easy access to the FG for all employees without third-party intervention
  • Sufficient time to complete tasks
  • Practical support (budget, facilities, personnel)
  • Clear communication to staff about the presence of the FG
  • Training to keep abreast of the rules

At A-Vision, our Storm van Wissen is given plenty of space and serves 4 hours a week as Data Protection Officer:"As FG at A-VISION, my mission is to safeguard the privacy of client, employee and stakeholders. As an external FG, I have more distance from the organization and best guarantee objectivity and impartiality."

Does personal data processing play an important role in your organization? Check out our Data Protection Officer service and other Interim Specialism. Get all the knowledge and expertise from as little as 4 hours per week.

Ruben den Dulk
Information Security Consultant
085 773 60 05
To news overview
KAM Certifications is now Fendix

We are a partner of