The duties and obligations of a data protection officer or data protection consultant result, on the one hand, from the minimal requirements of the applicable law, such as the GDPR, and the individual agreements with the respective supervised company.

In accordance with Art. 39 GDPR, the data protection officer has the following functions:

1. Information and advice to the person responsible or the processor and employees who carry out processing operations with regard to their obligations under this Regulation and under other data protection legislation of the Union or the Member States;
2. Monitoring compliance with this Regulation, other Union or Member State data protection rules and the controller or processor's strategies for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations and related reviews;
3. Advice — upon request — in connection with the data protection impact assessment and monitoring of its implementation in accordance with Article 35;
4. Cooperation with the supervisory authority;
5. Working as a point of contact for the supervisory authority on issues related to processing, including prior consultation in accordance with Article 36, and, where appropriate, advice on all other issues.

In practice, this means that the DPO must regularly carry out a data protection audit to identify gaps in data protection management and plan measures. However, the implementation or decision on the measures is up to the company itself. In addition, the DPO advises the company on all issues of data protection and trains employees accordingly. The general training of employees is often carried out as webinars.  

The data protection officer's annual reports fulfill a number of important functions. These include:

• Report on measures taken and identified weaknesses over the past year.
• Determination of the resources used and the necessary budget for the next year.
• Identification of necessary measures by priority based on which management can allocate resources.

If data protection authorities identify an infringement, this annual report serves to relieve the DPO. It also enables management to make a risk-based decision on the implementation of the proposed measures.

‍