The standard tasks of the data protection officer arise from Art. 39 GDPR, whereas the duties can be substantiated or extended by means of the employment or service contract concluded with him.
One of the primary tasks of the external DPO is to work towards compliance by the controller or the processor as well as their employees (by means of information and advice) with all (data protection) regulations, Art. 39 (1) lit. a GDPR. For this purpose, he shall be instructed both in regard to the procedures of the data-processing software programs and the computer technology used. Its subsequent review should be taken under control and conducted by him regularly. In addition, the external data protection officer must ensure that persons handling personal data are made familiar with the data protection regulations and their due diligence obligations. This should be done through regular trainings and (if necessary, repeated) education.
A DPO regularly reviews the technical and organizational measures of the company, provided that this specific task has been contractually assigned to him by the controller or processor. For this purpose, at least access, transfer, input, order and availability controls are to be reviewed. He also carries out regular audits.
In most cases, he also oversees the company’s deployed automated procedures, which he often reviews as part of the data protection impact assessment, to ensure that the data subjects’ rights are adequately protected and data subjects sufficiently informed. This appears to be crucial, especially with regard to the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object as well as for the responding to the information requests.
Furthermore, he often takes care of maintaining the procedure indexes, it should be however noted that there is also no legal obligation for that. Additionally, the DPO could be contracted to develop a data privacy manual with the necessary concepts, guidelines, directives and employee information.
The internal or external data protection officer must also represent the controller or the processor in his relations with the supervisory authority as a contact person. However, it should be pointed out that the external data protection officer does generally have decisions-making competences; it lies solely with the controller and thereby usually with the management of his principal.