Article 39: Tasks of the data protection officer

To meet the article 39: tasks of the data protection officer requirement, you must define the DPO’s minimum mandated duties, embed them into day-to-day operating workflows, and retain proof that the DPO is actively advising, monitoring compliance, training, and acting as the contact point for the supervisory authority. Document scope, cadence, and outputs. (Regulation (EU) 2016/679, Article 39)

Key takeaways:

• Write a DPO task charter mapped directly to Article 39 duties, then operationalize it through repeatable intake and reporting workflows. (Regulation (EU) 2016/679, Article 39)
• Evidence matters more than policy text: keep DPO advice records, monitoring results, training logs, and DPIA participation artifacts. (Regulation (EU) 2016/679, Article 39)
• Treat “monitor compliance” and “advise” as measurable services with SLAs, templates, and escalation paths owned by the business and the DPO. (Regulation (EU) 2016/679, Article 39)

Article 39 sets the floor for what your Data Protection Officer (DPO) must do once you have appointed one. Your fastest path to defensible compliance is to treat Article 39 like an operating requirement, not a job description. You need a DPO task charter, a small set of workflows that pull the DPO into decisions at the right times, and an evidence set you can produce quickly during regulator inquiries, customer diligence, or internal audit.

This requirement is frequently tested indirectly. Examiners and procurement assessors won’t ask, “Do you have Article 39?” They ask for DPIA records showing DPO involvement, proof of ongoing compliance monitoring, training completion, and examples of advice given to product or security teams. If you cannot produce artifacts, it reads as “DPO in name only.”

This page translates the article 39: tasks of the data protection officer requirement into concrete steps a Compliance Officer, CCO, or GRC lead can assign, track, and audit. All regulatory references below point to the GDPR text for Article 39. (Regulation (EU) 2016/679, Article 39)

Regulatory text

Regulatory excerpt (provided): “1. The data protection officer shall have at least the following tasks:” (Regulation (EU) 2016/679, Article 39)

What the operator must do with this text: Article 39 is a minimum-duty standard. Your operating model must show that the DPO:

• informs and advises the organization and employees about GDPR and related data protection obligations;
• monitors compliance with GDPR and internal policies, including assignment of responsibilities, awareness raising, and training;
• advises on Data Protection Impact Assessments (DPIAs) and monitors their performance; and
• cooperates with and acts as a contact point for the supervisory authority. (Regulation (EU) 2016/679, Article 39)

If your program does not produce routine outputs tied to those tasks (advice logs, monitoring reports, training evidence, DPIA artifacts, regulator contact procedures), you will struggle to demonstrate compliance even if the DPO is experienced.

Plain-English interpretation (requirement-level)

If you have a DPO, you must give them a defined, active role in your privacy governance. That role includes: (1) advising the business, (2) checking that privacy controls and policies work in practice, (3) participating in DPIAs, and (4) being the interface to regulators. (Regulation (EU) 2016/679, Article 39)

Operationally, that means you need:

• a clear “what the DPO does” scope statement;
• defined triggers for when the DPO must be pulled in (new products, new processing, high-risk changes, DPIAs, incidents, regulator inquiries);
• a way to record DPO guidance and decisions; and
• a way to demonstrate ongoing monitoring, training, and reporting. (Regulation (EU) 2016/679, Article 39)

Who it applies to (entity and operational context)

Applies to: any organization acting as a controller or processor under GDPR that has appointed a DPO. The requirement is about the DPO’s tasks, so it becomes relevant once the DPO role exists and is expected to function as described. (Regulation (EU) 2016/679, Article 39)

Operational contexts where Article 39 becomes “live” quickly:

• Product launches and major feature changes involving personal data
• High-risk processing that triggers DPIAs
• Security incidents that may involve personal data exposure (the DPO is typically consulted as part of privacy response governance)
• Third-party onboarding where personal data is shared or processed by processors/sub-processors
• Employee training and annual compliance planning cycles (Regulation (EU) 2016/679, Article 39)

What you actually need to do (step-by-step)

Step 1: Make a role-and-scope decision you can defend

Create a GDPR role-and-scope register that covers:

• controller vs. processor status per major processing activity
• data categories and affected systems
• business owners for each processing area
• where the DPO must advise/approve/consult versus where they are informed only (Regulatory Best Practices)

Why this matters: scope ambiguity is a recurring failure mode. If the organization cannot explain where the DPO is expected to be involved, the DPO’s outputs will be inconsistent and hard to evidence.

Step 2: Publish a DPO Task Charter mapped to Article 39

Write a one-page charter that maps each Article 39 duty to:

• service description (what the DPO provides)
• intake channel (how requests reach the DPO)
• trigger events (what automatically routes to the DPO)
• expected outputs (what gets produced)
• escalation path (what happens when advice is not followed) (Regulatory Best Practices)

Example mapping (minimum viable):

Article 39 duty	Operational trigger	DPO output	Evidence to keep
Inform & advise	New project intake, contract review, incident review	Written guidance, meeting notes, risk acceptance input	Advice log entry, email/decision record
Monitor compliance	Scheduled compliance review, audit support	Monitoring report, findings, remediation tracking	Review report, tickets, closure evidence
Awareness & training	New hire, annual refresh, role-based needs	Training content review, attendance oversight	Training roster, materials, completion evidence
DPIA advice & monitoring	DPIA required / high-risk change	DPIA comments, sign-off/consult record, follow-up checks	DPIA file with DPO section completed
Cooperate/contact authority	Regulator inquiry, complaint, consultation	Response coordination, communications log	Contact SOP, correspondence log

Step 3: Build a requirement-specific operating procedure (SOP)

Turn the charter into a short SOP with named owners and a workflow. Include:

• intake triage rules (what is “privacy advisory” vs “security” vs “legal”)
• required data fields for requests (system, data types, purpose, recipients, retention)
• response format standards (what “advice” looks like in writing)
• storage location for evidence packets (single system of record) (Regulatory Best Practices)

A practical pattern is to run DPO work through a ticketing queue (or GRC platform) so every advisory action leaves an audit trail.

Step 4: Operationalize “monitor compliance” as a planned control, not ad hoc

Define a monitoring plan that includes:

• what gets reviewed (policies, processing activities, DPIAs, third-party data flows, retention)
• who supplies evidence to the DPO (system owners)
• how findings are documented (severity, owner, due date, remediation proof)
• how results are reported to leadership (a standing agenda item) (Regulation (EU) 2016/679, Article 39)

Keep it tight: a small number of repeatable checks beats a long checklist you cannot maintain.

Step 5: Embed the DPO into DPIAs

For DPIAs, enforce two gating rules:

• DPIA templates must include a required “DPO advice” section.
• DPIA completion criteria includes “DPO consulted” plus documented follow-up if risk remains high. (Regulation (EU) 2016/679, Article 39)

This is one of the most straightforward places to prove Article 39 operation because the artifact is discrete and reviewable.

Step 6: Formalize the supervisory authority contact mechanism

Create a lightweight procedure that defines:

• who can contact the supervisory authority (usually DPO, Legal, or both)
• how communications are logged and stored
• how inquiries are triaged and responded to
• how internal stakeholders are briefed (Regulation (EU) 2016/679, Article 39)

Even if you have never been contacted, the exam question is, “Show me the process.”

Step 7: Package evidence on a recurring cadence

Create an evidence packet that you refresh routinely:

• DPO charter and SOP (current versions)
• advice log extract (redacted if needed)
• monitoring report(s) and remediation status
• training roster and materials
• sample DPIAs with DPO input
• regulator contact SOP and correspondence log (even if empty, show the log structure) (Regulatory Best Practices)

Daydream (if you use it) fits naturally here as the system to keep requirement-to-artifact traceability tight: one requirement page, mapped controls, and recurring evidence packets with ownership and exceptions tracked.

Required evidence and artifacts to retain

Keep artifacts that show both design (the program exists) and operation (it actually runs):

Design artifacts

• DPO Task Charter mapped to Article 39 tasks (Regulation (EU) 2016/679, Article 39)
• DPO SOP with triggers, owners, and recordkeeping rules (Regulatory Best Practices)
• Role-and-scope register for controller/processor decisions and impacted systems (Regulatory Best Practices)

Operational artifacts

• DPO advice log (tickets, emails, meeting minutes, decision records)
• Compliance monitoring outputs (review reports, findings register, remediation evidence)
• Training evidence (materials, attendance/completion records, role-based training mapping)
• DPIA files showing DPO advice and follow-up
• Supervisory authority communications log and escalation records (Regulation (EU) 2016/679, Article 39)

Common exam/audit questions and hangups

• “Show me how the DPO informs and advises the business. Where is it documented?” (Regulation (EU) 2016/679, Article 39)
• “How do you prove ongoing compliance monitoring? What was reviewed most recently, and what changed because of it?” (Regulation (EU) 2016/679, Article 39)
• “Provide a DPIA where the DPO gave advice. How was that advice addressed?” (Regulation (EU) 2016/679, Article 39)
• “Who contacts the supervisory authority, and how do you ensure consistent messaging?” (Regulation (EU) 2016/679, Article 39)
• “Where do you store evidence so it’s searchable and complete?” (Regulatory Best Practices)

Hangup to anticipate: teams often have evidence scattered across email, chat, and personal drives. Centralize it or you will waste days during an audit response.

Frequent implementation mistakes and how to avoid them

1. Job description instead of operating model. A DPO job posting does not prove Article 39 performance. Require artifacts: advice logs, monitoring reports, DPIA participation. (Regulation (EU) 2016/679, Article 39)
2. Undefined triggers for consultation. If “consult the DPO” is optional, it will be skipped under delivery pressure. Add explicit triggers in intake workflows for product, security, and procurement. (Regulatory Best Practices)
3. No record of advice when advice is given verbally. Move advice into written channels by default, or document meeting notes in a controlled repository. (Regulatory Best Practices)
4. DPIA process exists, but the DPO is not embedded. Make the DPIA template and approval workflow require DPO consultation. (Regulation (EU) 2016/679, Article 39)
5. Regulator contact is improvised. Write and test the contact procedure with Legal and Comms so you can respond consistently. (Regulation (EU) 2016/679, Article 39)

Enforcement context and risk implications

No public enforcement case sources were provided in the source catalog for this page, so this guidance does not cite specific cases. Practically, Article 39 gaps increase regulatory and customer-diligence risk because they indicate governance weakness: the organization cannot show independent privacy oversight, documented advice, or structured DPIA involvement. (Regulation (EU) 2016/679, Article 39)

Practical execution plan (30/60/90-day)

Use phases instead of fixed calendar commitments, since timelines depend on your current maturity and staffing.

Immediate (stabilize)

• Confirm DPO appointment, reporting line, and coverage scope for controller/processor activities. (Regulation (EU) 2016/679, Article 39)
• Stand up a single intake channel for DPO advisory requests and start an advice log.
• Publish the DPO Task Charter mapped to Article 39 and socialize it with Product, Security, HR, and Procurement. (Regulation (EU) 2016/679, Article 39)

Near-term (operationalize)

• Implement the requirement-specific SOP with triggers in: project intake, third-party onboarding, and incident response. (Regulatory Best Practices)
• Create the compliance monitoring plan and deliver the first monitoring report with tracked remediation actions. (Regulation (EU) 2016/679, Article 39)
• Update DPIA templates to include required DPO advice fields and store completed DPIAs in a controlled repository. (Regulation (EU) 2016/679, Article 39)

Ongoing (prove it repeatedly)

• Run monitoring on a recurring cadence and report to leadership with clear owners and due dates. (Regulation (EU) 2016/679, Article 39)
• Maintain the evidence packet so you can respond quickly to audits and due diligence. (Regulatory Best Practices)
• Periodically test the supervisory authority contact procedure and refresh the communications log process. (Regulation (EU) 2016/679, Article 39)

Frequently Asked Questions

Do we need to do anything under Article 39 if we don’t have a DPO?

Article 39 governs the tasks of the DPO, so it becomes operational once a DPO is appointed. If you do not have a DPO, focus on confirming whether you are required to appoint one under GDPR and documenting your governance model. (Regulation (EU) 2016/679)

What is the minimum evidence that convinces an auditor the DPO is functioning?

Provide a DPO charter mapped to Article 39, an advice log with real examples, at least one monitoring output with remediation tracking, and DPIAs that show DPO consultation. Those artifacts directly correspond to Article 39 task categories. (Regulation (EU) 2016/679, Article 39)

Can the DPO give advice verbally, or must it be written?

GDPR does not require a specific format in Article 39, but you need a reliable record for auditability. Default to written outputs or captured meeting notes stored in your evidence repository. (Regulation (EU) 2016/679, Article 39)

How do we operationalize “monitor compliance” without creating a huge program?

Define a small monitoring plan tied to your biggest processing activities and highest-change areas, then produce routine outputs with tracked remediation. Proportionate, repeatable checks are easier to evidence than broad one-time assessments. (Regulation (EU) 2016/679, Article 39)

What should be in the supervisory authority contact process if we’ve never been contacted?

Document who is authorized to communicate, how requests are triaged, where correspondence is logged, and how responses are approved. Even a “no contacts to date” log entry is better than an empty process. (Regulation (EU) 2016/679, Article 39)

How does this connect to third-party risk management?

The DPO should be pulled into third-party onboarding when personal data is shared, new processing is introduced, or DPIAs are triggered. Your third-party workflow should generate evidence that the DPO advised on risk and required safeguards. (Regulation (EU) 2016/679, Article 39)