According to Art. 39 (I) of the GDPR, which is effective as of 25 May 2018, the data protection officer has to fulfil least the following tasks:
(a) informing and advising the controller or the processor and the persons carrying out the processing operations regarding their obligations under the General Data Protection Regulation and other data protection regulations of the Union or the Member States;
(b) monitoring compliance with the General Data Protection Regulation, other Union or Member States' data protection regulations as well as the strategies of the controller or the processor concerning the protection of personal data, including the allocation of responsibilities, awareness and training of the employees involved in the processing operations and the controls related thereto;
c) consulting – upon the request - in connection with the data protection impact assessment and monitoring of its implementation in accordance with Art. 35 GDPR;
(d) cooperation with the supervisory authority;
(e) acting as a point of contact for the supervisory authority in matters relating to the processing, including prior consultation in accordance with Art. 36 GDPR, and, where appropriate, advising on all other matters.
Furthermore, a data protection officer could take over the following matters: