GDPR Art.37–39: Data Protection Officer (DPO) — When Required, Position, Tasks & Conflict of Interest (2026)

Post #430 in the sota.io EU Cyber Compliance Series

The Data Protection Officer is one of the most misunderstood roles in GDPR compliance. Many organisations either skip the designation (assuming it is optional when it is not) or appoint a DPO without granting the independence and resources the Regulation requires. Both mistakes are enforcement targets. This post covers the three mandatory designation cases under Art.37, the organisational requirements under Art.38, the six tasks the DPO must perform under Art.39, and how to implement a lightweight DPO-management system in Python.

GDPR Chapter IV: Art.37–39 in Context

Art.37–39 sit in Chapter IV (Controller and Processor) alongside Art.30 records, Art.32 security, Art.33–34 breach notification, and Art.35 DPIA. The DPO is the organisational linchpin that connects all of these: they monitor Art.30 records, advise on Art.32 measures, are notified under Art.33, and must be consulted before Art.36 prior consultation with the supervisory authority.

Art.37: Designation — When Is a DPO Mandatory?

Art.37(1) identifies three cases in which designation is mandatory:

Art.37(1)(a) — Public Authorities and Bodies

The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

Scope: Any government authority, municipality, public university, public hospital, regulatory body. The exception for courts is narrow — the judicial function of courts is excluded, but their administrative processing (HR, finance, IT) is not.

Key point for SaaS vendors: If your customer is a public authority, they must designate a DPO. Your processor obligations under Art.28 require you to support their DPO's work, but you are not automatically required to designate your own DPO on that basis alone.

Art.37(1)(b) — Large-Scale Systematic Monitoring

The core activities of the controller or the processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

Three cumulative elements:

1. Core activities — monitoring must be central to the business, not incidental. A law firm that monitors employee emails for compliance has monitoring as an ancillary activity. A telecom that tracks subscriber location continuously has it as a core activity.

2. Regular and systematic — regular: ongoing or periodic. Systematic: organised, structured, methodical. Ad-hoc monitoring is not captured; behavioural tracking, real-time analytics, and geolocation tracking are.

3. Large scale — EDPB factors: number of data subjects (absolute and relative to population), geographical extent, data volume, duration of processing, breadth of data categories.

Developer triggers:

• Behavioural analytics platforms
• Ad-tech and programmatic advertising
• Fleet tracking and GPS logistics
• Social media platforms with recommendation engines
• IoT platforms with continuous sensor data
• CDN / web analytics processing millions of page views

Art.37(1)(c) — Large-Scale Processing of Special Categories or Criminal Data

The core activities consist of processing on a large scale of special categories of data pursuant to Art.9, or of personal data relating to criminal convictions and offences referred to in Art.10.

Art.9 special categories: health, genetic, biometric (for identification), racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, sex life/sexual orientation.

Developer triggers:

• Health platforms, telemedicine, EHR systems
• HR analytics with trade union data
• Background check services
• Biometric access control systems
• Mental health or addiction treatment apps

Art.37(4) — Voluntary Designation

Controllers not in any mandatory case may voluntarily designate a DPO. When they do, the full requirements of Art.37–39 apply — including the independence requirements of Art.38 and all six tasks of Art.39. There is no partial compliance: either you have a compliant DPO or you do not.

When voluntary designation makes sense:

• Processing volumes are borderline large scale
• Customers contractually require a DPO contact (B2B SaaS for regulated sectors)
• Regulatory engagement is frequent (multiple SAs, cross-border processing)
• DPO provides accountability documentation for Art.5(2) accountability principle

Art.37(2) — Group of Undertakings: Single DPO

A group of undertakings may designate a single DPO if the DPO is "easily accessible from each establishment." Practically, this means the DPO must be reachable from all group entities (language, time zone, availability) and have sufficient capacity for the group's processing volume.

Art.37(5) — Qualification Requirements

The DPO must be designated "on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art.39."

There is no formal certification requirement in the Regulation, but EDPB guidance notes that the required level of expertise should be proportionate to the sensitivity and volume of data processed. A healthcare group processing genomic data requires more expertise than a small B2B SaaS with a single Art.37(1)(a)-triggered designation.

Art.37(7) — Publication and Notification

The DPO's contact details must be:

• Published (accessible to data subjects — typically on the privacy policy or a dedicated DPO contact page)
• Communicated to the supervisory authority — in Germany, for example, to the competent Landesdatenschutzbehörde

Publication must cover contact details, not necessarily the DPO's name (though name publication is common practice and recommended by some SAs).

Art.38: Position of the DPO — Independence and Resources

Designating a DPO on paper but denying them the ability to function is itself an infringement. Art.38 defines the structural requirements:

Art.38(2) — Adequate Resources

The controller/processor must provide the DPO with:

• Resources necessary to carry out tasks (time, budget, staff support)
• Access to personal data and processing operations
• Means to maintain expert knowledge (training, conferences, subscriptions to guidance)

A DPO who is allocated 5% of their working time to DPO duties while processing operations involve 50 systems across 20 countries does not have adequate resources. The EDPB has explicitly flagged under-resourcing as a compliance concern.

Art.38(3) — No Instructions — The Independence Requirement

The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks.

The DPO must be able to report independently to the highest management level (Art.38(3)) and cannot be instructed to reach a particular compliance conclusion. They can be instructed on administrative matters (scheduling, format of reports) but not on substantive findings.

Infringement examples: telling the DPO that a DPIA is not required when the DPO considers it necessary; instructing the DPO not to notify the SA of a breach.

Art.38(3) — No Dismissal or Penalty for DPO Tasks

The DPO may not be dismissed or penalised for performing their tasks. This is structural independence analogous to whistleblower protection. An employer who disciplines a DPO for recommending against a high-risk processing operation faces direct Art.38 infringement liability.

Art.38(5) — Conflict of Interest — The Developer's Risk

The DPO may fulfil other tasks and duties. The controller or the processor shall ensure that any such tasks and duties do not result in a conflict of interest.

Roles incompatible with DPO designation:

• CEO, COO, CFO, CTO, CISO — all set processing strategy and cannot oversee their own decisions
• Head of IT (often determines technical processing architecture)
• Head of HR (processes employee data they would be overseeing as DPO)
• Head of Legal (where legal function advises on processing decisions the DPO would assess)
• Head of Marketing (controls customer data processing)

Roles generally compatible:

• Internal audit (provided audit does not determine processing strategy)
• Privacy analyst or privacy counsel (subordinate, not strategic)
• External DPO on a service contract (common and EDPB-recognised)

The conflict-of-interest risk is particularly acute at startups and SMEs where one person wears many hats. Appointing the CTO as DPO — a common shortcut — is an Art.38(5) infringement.

Art.39: Tasks — What the DPO Must Do

Art.39(1) lists six mandatory tasks. Note that these are minimum tasks — the DPO may take on additional duties (subject to Art.38(5)).

Art.39(1)(a) — Inform and Advise

The DPO must inform and advise the controller, processor, and employees carrying out processing of their obligations under GDPR and other EU/Member State data protection provisions.

Practical scope: This is the DPO's consultative function. It covers advising product teams on new features, legal on contract drafting, HR on employment data, security on breach handling. The DPO is not a decision-maker — they advise; the controller decides and bears responsibility.

Art.39(1)(b) — Monitor Compliance

The DPO monitors compliance with the Regulation, other data protection provisions, and the controller's own policies. This includes assignment of responsibilities, awareness-raising, training, and audits.

Practical scope: Regular reviews of Art.30 records for accuracy, monitoring of data access logs, periodic review of consent mechanisms, oversight of processor contracts under Art.28, and audit of security measures under Art.32.

Art.39(1)(c) — DPIA — Provide Advice and Monitor

The DPO provides advice where requested on Art.35 DPIAs and monitors their performance. Specifically:

• Art.35(8) requires the controller to seek the DPO's advice when conducting a DPIA
• The DPO does not conduct the DPIA (the controller does) — the DPO advises on methodology, assesses completeness, and monitors follow-up

Developer implication: If your SDLC includes DPIAs (as it should for Art.35(1) processing), the DPO must be in the review loop before a processing operation goes live. This is a formal checkpoint, not a courtesy review.

Art.39(1)(d) — Cooperate with the Supervisory Authority

The DPO acts as a contact point for the SA on all processing-related issues, including Art.36 prior consultation, Art.33 breach notification, and SA investigations.

Practical implication: In a regulatory investigation, communications flow through the DPO. This means the DPO must be briefed on all relevant processing operations and must have authority to commit the organisation to remediation timelines.

Art.39(1)(e) — Act as Contact Point for Data Subjects

The DPO is the contact point for data subjects exercising their Chapter III rights (access, erasure, restriction, portability, objection). The DPO does not necessarily handle the requests themselves — that is an operational function — but they must be reachable and oversee the process.

Published contact: The DPO's contact details in the privacy policy are primarily for this purpose. Data subjects should be able to reach the DPO without navigating multiple layers of the website.

Art.39(1) + Art.39(2) — Secrecy and Confidentiality

Art.39(2) requires the DPO to maintain secrecy or confidentiality concerning the performance of their tasks, in accordance with Union or Member State law. This means the DPO's communications with the SA are protected and may not be disclosed to management without the DPO's consent.

Art.38(4) — Data Subjects May Contact the DPO Directly

Art.38(4) gives data subjects the right to contact the DPO directly "with regard to all issues related to processing of their personal data and to the exercise of their rights." This is a direct right — the controller cannot require data subjects to go through a customer support layer before reaching the DPO.

Enforcement Cases

BfDI — Deutsche Telekom (2019): €9.55M

Deutsche Telekom's subsidiary was fined €9.55M primarily for data security failures, but the case included scrutiny of the DPO's independence and access to processing operations. Regulators examined whether the DPO had adequate resources and access to make informed compliance assessments.

AEPD — H&M (2020): €35M (Germany, Hamburg DPA)

H&M's HR monitoring of employees at the Nuremberg service centre involved the DPO being structurally excluded from oversight of the monitoring programme. The Hamburg DPA found that the DPO function had been undermined by keeping the monitoring system outside the DPO's scope of review — an Art.38(2) resource and access failure.

ICO — Statutory Guidance (2021)

The UK ICO issued statutory guidance noting that DPO conflict-of-interest designations are "routinely identified" in regulatory investigations. The ICO specifically called out CTOs and Heads of IT as typically incompatible with DPO designation at technology companies.

UODO — Polish DPA (2022): PLN 45,000

A Polish health insurer designated an employee who also served as Head of IT Operations as DPO. The UODO found an Art.38(5) conflict of interest because the Head of IT determined data infrastructure architecture while the DPO was required to oversee it. Fine plus requirement to redesign the DPO function.

Python Implementation: DPO Management System

from __future__ import annotations
from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime


class MandatoryCase(Enum):
    PUBLIC_AUTHORITY = "public_authority"
    LARGE_SCALE_SYSTEMATIC_MONITORING = "large_scale_systematic_monitoring"
    LARGE_SCALE_SPECIAL_CATEGORIES = "large_scale_special_categories"


class ConflictRole(Enum):
    CEO = "CEO"
    COO = "COO"
    CFO = "CFO"
    CTO = "CTO"
    CISO = "CISO"
    HEAD_OF_IT = "head_of_it"
    HEAD_OF_HR = "head_of_hr"
    HEAD_OF_MARKETING = "head_of_marketing"
    HEAD_OF_LEGAL = "head_of_legal"


@dataclass
class ProcessingProfile:
    is_public_authority: bool = False
    # Art.37(1)(b): large-scale systematic monitoring
    core_activity_is_monitoring: bool = False
    monitoring_is_regular_and_systematic: bool = False
    monitoring_is_large_scale: bool = False
    # Art.37(1)(c): large-scale special categories
    core_activity_processes_special_categories: bool = False
    special_categories_are_large_scale: bool = False
    # Voluntary
    voluntary_designation: bool = False


@dataclass
class DPOCandidate:
    name: str
    current_roles: list[ConflictRole] = field(default_factory=list)
    is_external: bool = False
    has_data_protection_expertise: bool = True
    contact_published: bool = False
    contact_notified_to_sa: bool = False


@dataclass
class DPODesignationCheck:
    profile: ProcessingProfile
    candidate: Optional[DPOCandidate] = None

    def mandatory_case(self) -> Optional[MandatoryCase]:
        p = self.profile
        if p.is_public_authority:
            return MandatoryCase.PUBLIC_AUTHORITY
        if (p.core_activity_is_monitoring
                and p.monitoring_is_regular_and_systematic
                and p.monitoring_is_large_scale):
            return MandatoryCase.LARGE_SCALE_SYSTEMATIC_MONITORING
        if (p.core_activity_processes_special_categories
                and p.special_categories_are_large_scale):
            return MandatoryCase.LARGE_SCALE_SPECIAL_CATEGORIES
        return None

    def designation_required(self) -> bool:
        return (self.mandatory_case() is not None
                or self.profile.voluntary_designation)

    def conflict_of_interest(self) -> list[str]:
        if self.candidate is None:
            return []
        issues = []
        for role in self.candidate.current_roles:
            issues.append(
                f"Art.38(5) conflict: {self.candidate.name} holds "
                f"role '{role.value}' incompatible with DPO designation"
            )
        return issues

    def publication_compliant(self) -> bool:
        if self.candidate is None:
            return False
        return (self.candidate.contact_published
                and self.candidate.contact_notified_to_sa)

    def validate(self) -> dict:
        result = {
            "designation_required": self.designation_required(),
            "mandatory_case": self.mandatory_case(),
            "issues": [],
        }
        if self.designation_required() and self.candidate is None:
            result["issues"].append(
                "DPO designation required but no DPO designated (Art.37 infringement)"
            )
        if self.candidate:
            result["issues"].extend(self.conflict_of_interest())
            if not self.candidate.has_data_protection_expertise:
                result["issues"].append(
                    "Art.37(5): DPO lacks required data protection expertise"
                )
            if not self.candidate.contact_published:
                result["issues"].append(
                    "Art.37(7): DPO contact details not publicly available"
                )
            if not self.candidate.contact_notified_to_sa:
                result["issues"].append(
                    "Art.37(7): DPO contact not communicated to supervisory authority"
                )
        result["compliant"] = len(result["issues"]) == 0
        return result


@dataclass
class DPOTask:
    task: str
    art39_ref: str
    last_performed: Optional[datetime.date] = None
    frequency_days: int = 90

    def is_overdue(self) -> bool:
        if self.last_performed is None:
            return True
        delta = datetime.date.today() - self.last_performed
        return delta.days > self.frequency_days


@dataclass
class DPOTaskMonitor:
    tasks: list[DPOTask] = field(default_factory=lambda: [
        DPOTask("Review Art.30 records", "Art.39(1)(b)", frequency_days=90),
        DPOTask("Audit processor contracts (Art.28)", "Art.39(1)(b)", frequency_days=180),
        DPOTask("Review consent mechanisms", "Art.39(1)(b)", frequency_days=90),
        DPOTask("DPIA review for new features", "Art.39(1)(c)", frequency_days=30),
        DPOTask("SA notification status check", "Art.39(1)(d)", frequency_days=30),
        DPOTask("Data subject request backlog review", "Art.39(1)(e)", frequency_days=14),
        DPOTask("Staff data protection training", "Art.39(1)(b)", frequency_days=365),
        DPOTask("Security incident briefing", "Art.39(1)(a)", frequency_days=30),
    ])

    def overdue_tasks(self) -> list[DPOTask]:
        return [t for t in self.tasks if t.is_overdue()]

    def report(self) -> dict:
        overdue = self.overdue_tasks()
        return {
            "total_tasks": len(self.tasks),
            "overdue": len(overdue),
            "overdue_tasks": [
                {"task": t.task, "ref": t.art39_ref,
                 "last_performed": str(t.last_performed) if t.last_performed else "never"}
                for t in overdue
            ],
            "compliant": len(overdue) == 0,
        }

Usage

# Example: Health SaaS — mandatory DPO (Art.37(1)(c))
profile = ProcessingProfile(
    core_activity_processes_special_categories=True,
    special_categories_are_large_scale=True,
)

# CTO as DPO — classic conflict-of-interest mistake
candidate = DPOCandidate(
    name="Alice Müller",
    current_roles=[ConflictRole.CTO],
    contact_published=True,
    contact_notified_to_sa=True,
)

check = DPODesignationCheck(profile=profile, candidate=candidate)
result = check.validate()
# result["issues"]: ["Art.38(5) conflict: Alice Müller holds role 'CTO' incompatible with DPO designation"]
# result["compliant"]: False

# Corrected: external DPO without conflict
external_dpo = DPOCandidate(
    name="Dr. Bernd Fischer (external)",
    is_external=True,
    has_data_protection_expertise=True,
    contact_published=True,
    contact_notified_to_sa=True,
)
check2 = DPODesignationCheck(profile=profile, candidate=external_dpo)
result2 = check2.validate()
# result2["compliant"]: True

# Task monitoring
monitor = DPOTaskMonitor()
report = monitor.report()
# report["overdue"]: 8 (all tasks uninitialized)

DPO Decision Tree

Is processing by a public authority or body?
  YES → Art.37(1)(a): DPO MANDATORY
  NO  ↓

Are core activities regular/systematic monitoring at large scale?
  YES → Art.37(1)(b): DPO MANDATORY
  NO  ↓

Do core activities process Art.9/10 data at large scale?
  YES → Art.37(1)(c): DPO MANDATORY
  NO  ↓

Voluntary designation chosen?
  YES → Art.37(4): DPO REQUIRED (full Art.38/39 applies)
  NO  → No DPO required (document reasoning under Art.5(2))

If DPO required:
  → Does candidate hold CEO/COO/CFO/CTO/Head-of-IT/Head-of-HR/Head-of-Marketing role?
      YES → Art.38(5) conflict: appoint different person or external DPO
      NO  ↓
  → Does candidate have data protection expertise?
      NO  → Art.37(5) non-compliant
      YES ↓
  → Is DPO contact published and SA notified?
      NO  → Art.37(7) non-compliant
      YES → Designation compliant — implement Art.39 tasks

EU Hosting Advantage

Controllers running on EU-native infrastructure have a structural DPO benefit:

Reduced transfer complexity in DPIA and DPO work: When the DPO reviews Art.30 records, a processing chain that stays entirely within the EU/EEA has zero Art.44+ transfer entries to document, audit, or justify. No Standard Contractual Clauses, no Transfer Impact Assessments, no adequacy decisions to monitor for revocation.

SA relationship: EU-native hosting means data is subject to EU SAs' jurisdiction exclusively. The DPO cooperates with a known, stable supervisory authority — not with multiple non-EU regulators who may have competing inspection requests.

DPO workload reduction: A DPO supporting a controller on EU-native cloud can focus Art.39(1)(a) advisory work on substantive GDPR compliance rather than transfer mechanism maintenance. Schrems II compliance research, SCCs versioning, and adequacy monitoring represent 20–30% of a DPO's technical workload for US-cloud deployments. EU-native infrastructure eliminates this category entirely.

Checklist: GDPR Art.37–39 Compliance

Designation (Art.37)

• Assessed all three mandatory cases (public authority / systematic monitoring / special categories)
• Documented reasoning if no DPO required (Art.5(2) accountability)
• DPO designated with appropriate expertise (Art.37(5))
• Single DPO for group of undertakings accessible from all entities (Art.37(2))
• DPO contact published on website / privacy policy (Art.37(7))
• DPO contact communicated to supervisory authority (Art.37(7))

Position (Art.38)

• DPO has adequate resources and access to processing operations (Art.38(2))
• DPO reports to highest management level (Art.38(3))
• No instructions given to DPO on substantive findings (Art.38(3))
• DPO not dismissed or penalised for performing tasks (Art.38(3))
• No conflict of interest between DPO role and other duties (Art.38(5))
• Data subjects can contact DPO directly (Art.38(4))

Tasks (Art.39)

• DPO provides regular Art.39(1)(a) advice to teams (schedule documented)
• DPO conducts Art.39(1)(b) compliance monitoring (Art.30 review cadence set)
• DPO consulted on all Art.35 DPIAs before processing goes live (Art.39(1)(c))
• DPO is SA contact point for Art.33 notifications and investigations (Art.39(1)(d))
• DPO is accessible contact for data subject rights requests (Art.39(1)(e))
• DPO maintains secrecy on task performance (Art.39(2))
• Staff data protection training delivered and documented
• DPO task log maintained (last-performed dates for all Art.39 activities)

See Also

• GDPR Art.35: Data Protection Impact Assessment (DPIA) — DPO must be consulted on every DPIA under Art.39(1)(c); Art.35(8) makes this obligation explicit
• GDPR Art.33–34: Breach Notification — DPO is the SA contact point for Art.33 notifications and ongoing investigations (Art.39(1)(d))
• GDPR Art.30: Records of Processing Activities (RoPA) — DPO reviews Art.30 records as part of Art.39(1)(b) compliance monitoring