The tasks and obligations of data protection officers (DPOs) or data protection consultants result, on the one hand, from the minimal requirements of the applicable law, such as the GDPR, and on the other hand, from individual agreements with the respective supervised company. According to Art. 39 GDPR, data protection officers have the following functions:

1. Information and advice to the person responsible or the processor and employees who carry out processing operations with regard to their obligations under this Regulation and under other data protection legislation of the Union or the Member States;
2. Monitoring compliance with this Regulation, other Union or Member State data protection rules, and the controller or processor's strategies for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of employees involved in processing operations and related reviews;
3. guidance — upon request — in connection with the data protection impact assessment and monitoring its implementation in accordance with Article 35;
4. Cooperation with the supervisory authority;
5. Working as a point of contact for the supervisory authority on issues related to processing, including prior consultation in accordance with Article 36, and, where appropriate, advice on all other issues.

In practice, this means that DPOs must carry out regular data protection audits to identify gaps in data protection management and plan measures. However, the implementation or decision on the measures is up to the company itself. DPOs also advise the company on all issues of data protection and train employees accordingly. The general training of employees is often carried out as webinars.

The annual reports of the data protection officers fulfill a number of important functions. These include:

• Report on measures taken and identified weaknesses over the past year.
• Determination of the resources used and the necessary budget for the next year.
• Identification of necessary measures by priority on the basis of which management can allocate resources.

If data protection authorities identify an infringement, this annual report serves to relieve the DPO. It also enables management to make a risk-based decision on the implementation of the proposed measures.

‍