One of the obligations included in the GDPR is the appointment of a Data Protection Officer (DPO). The concept of a DPO is not new in Europe, but until now it was regulated only at the Member State level, without uniformity across the Union.

The main role of a DPO is to assist and advise the processor regarding GDPR compliance, and make sure of the provisions application within the institution. He is required to keep a register of all the processing activities that involve personal data, performed by the institution. This register must include explanatory information on the purpose of the processing operations, and must be accessible for any person.

DPOs are appointed by data controllers and processors in the situation where they are a public authority, their activities require monitoring of data subjects regularly and on a large scale, or when the information includes sensitive data such as criminal convictions or offences.

They should have a certain degree of independence within the organization, and are the liaison between it and the supervisory body (the European Data Protection Supervisor), or the data subjects.

In the situation where the data processor or controller is not obliged to appoint a DPO under GDPR, or his Member State law, can still do so.

If a Data Protection Officer is appointed, though, his contact details must be communicated to the supervisory authority.