The DPO should be involved in all issues relating to the protection of personal data.
In particular, the DPO must:
• inform and advise the controller or processor, as well as their employees, of their obligations under data protection law;
• monitor compliance of the organisation with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations. As part of these duties to monitor compliance, DPOs may, in particular: collect information to identify processing activities, analyse and check the compliance of processing activities, inform, advise and issue recommendations to the controller or the processor;
• provide advice where a DPIA has been carried out and monitor its performance. DPO can play a very important and useful role in assisting the controller in fulfilling this obligation. Following the principle of data protection by design, Article 35(2) specifically requires that the controller “shall seek advice” of the DPO when carrying out a DPIA. Article 39(1)(c), in turn, tasks the DPO with the duty to “provide advice where requested as regards the DPIA and monitor its performance pursuant to Article 35”;
• act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights. The DPO acts as a contact point to facilitate access by the supervisory authority to the documents and information;
• risk-based approach. Article 39.2 recalls a general and common sense principle, which may be relevant for many aspects of a DPO’s day-to-day work. In essence, it requires DPOs to prioritise their activities and focus their efforts on issues that present higher data protection risks. This does not mean that they should neglect monitoring compliance of data processing operations that have comparatively lower level of risks, but it does indicate that they should focus, primarily, on the higher-risk areas.