A Data Protection Officer — in German a Datenschutzbeauftragter — is the person an organisation designates to oversee its data protection compliance. Under the GDPR, the DPO advises on obligations, monitors compliance, and serves as the point of contact for individuals exercising their rights and for the supervisory authority. The role is part adviser, part watchdog, and — importantly — independent: the DPO is meant to act in the interests of data protection, not simply as another manager.
When the GDPR requires a DPO
The GDPR makes appointing a DPO mandatory in three situations: where processing is carried out by a public authority; where the core activities consist of processing that requires regular and systematic monitoring of individuals on a large scale; and where the core activities consist of large-scale processing of special categories of data or data relating to criminal matters. Outside these cases, appointing a DPO is voluntary — though many organisations do so as good practice.
Interpreting the thresholds
The triggering concepts — “core activities”, “large scale”, and “regular and systematic monitoring” — require judgement. Core activities are the primary operations, not ancillary functions like payroll. “Large scale” depends on the number of individuals, the volume and range of data, duration, and geographic extent. Because these terms are not defined by precise numbers, organisations should assess their situation carefully and document the reasoning, especially where they conclude a DPO is not required.
The DPO’s tasks
The GDPR sets out the DPO’s tasks: to inform and advise the organisation and its staff of their obligations; to monitor compliance, including awareness-raising and training; to advise on data protection impact assessments and monitor their performance; to cooperate with the supervisory authority; and to act as the contact point for it. The DPO does not bear personal legal liability for the organisation’s compliance — responsibility remains with the controller — but is central to achieving it.
Independence and protection
A defining feature of the role is independence. The DPO must be able to perform their duties without receiving instructions on how to carry them out, must report to the highest level of management, and must not be dismissed or penalised for performing the role. This protected independence is what allows the DPO to flag uncomfortable truths — a processing activity that should stop, a project that needs rethinking — without fear of reprisal.
Avoiding conflicts of interest
Because the DPO oversees compliance, the role cannot be combined with a position that determines the purposes and means of processing. Senior roles such as head of IT, head of marketing, or chief executive typically conflict, since the DPO would end up overseeing their own decisions. Choosing someone without such a conflict — or appointing an external DPO — is essential to preserve the integrity of the function.
Internal versus external DPOs
A DPO may be an employee or an external service provider engaged under contract. Smaller organisations often prefer an external DPO: it sidesteps conflict-of-interest problems, provides specialist expertise without a full-time hire, and ensures continuity. Larger organisations may build the role in-house, sometimes with a supporting team. Either way, the DPO must have sufficient resources, access, and expertise to do the job properly.
Qualifications and expertise
The GDPR requires the DPO to be appointed on the basis of professional qualities, in particular expert knowledge of data protection law and practice and the ability to fulfil the tasks. There is no single mandatory certification, but the DPO needs a genuine command of the legal framework and an understanding of the organisation’s processing and IT environment. The more complex and sensitive the processing, the deeper the expertise required.
The Swiss position
Switzerland’s revFADP does not impose a mandatory DPO requirement in the same way the GDPR does, though it recognises and encourages the appointment of a data protection adviser and attaches certain benefits to having one. Swiss organisations that also fall under the GDPR — because they serve EU users — must still meet the GDPR’s DPO rules where triggered. As so often, the practical answer for DACH companies is to plan to the GDPR standard.
Practical decision-making
For most organisations the first question is simply whether a DPO is mandatory. That requires assessing core activities against the GDPR’s triggers and documenting the conclusion. Where a DPO is required — or chosen voluntarily — the next decisions are internal versus external, ensuring independence, and providing adequate resources. Getting this structure right early avoids both under-resourcing the role and creating conflicts that undermine it.
Conclusion
A Data Protection Officer is the independent overseer of an organisation’s data protection compliance — advising, monitoring, and serving as the contact point for individuals and regulators. The GDPR requires one for public authorities and for organisations whose core activities involve large-scale monitoring or large-scale special-category processing. Whether internal or external, the DPO must be independent, conflict-free, qualified, and properly resourced, and DACH companies should assess the requirement against the GDPR standard.