Article 39: Tasks of the data protection officer

Article 39 requires you to define, enable, and evidence the Data Protection Officer’s (DPO’s) operational tasks: advising the business on GDPR obligations, monitoring compliance, training and audits, advising on DPIAs, and serving as the contact point with the supervisory authority. Operationalize it by assigning a DPO task charter, intake workflows, reporting cadence, and an auditable evidence pack. (Regulation (EU) 2016/679, Article 39)

Key takeaways:

• Document a DPO task charter that maps each Article 39 task to owners, triggers, and deliverables. (Regulation (EU) 2016/679, Article 39)
• Build “front doors” for DPO engagement (DPIA intake, project reviews, incident support, regulator communications) and track SLAs internally. (Regulation (EU) 2016/679, Article 39)
• Retain evidence that the DPO actually performed the tasks: advice memos, monitoring outputs, training records, DPIA guidance, and regulator correspondence logs. (Regulation (EU) 2016/679, Article 39)

A DPO appointment alone does not satisfy GDPR expectations. Article 39 focuses on what the DPO does in practice and what the organization must enable the DPO to do. For a CCO or GRC lead, the fastest path to defensibility is to translate Article 39 into a small set of repeatable operating routines: a defined task charter, documented engagement points with the business, measurable outputs, and a clean evidence trail.

This requirement shows up in audits and regulator inquiries in a predictable way: “Who is the DPO, what is their scope, how do they get involved in change, and show me proof.” If you can produce a role-and-scope register, a DPO operating procedure, and a recurring evidence packet, you can usually answer most follow-up questions without a scramble.

This page breaks Article 39 into implementation steps you can execute without rewriting your entire privacy program. It assumes you already know whether you must appoint a DPO; the goal here is to operationalize the DPO’s tasks in a way that stands up to regulatory scrutiny and third-party diligence. (Regulation (EU) 2016/679, Article 39)

Regulatory text

Regulatory excerpt: “The data protection officer shall have at least the following tasks:” (Regulation (EU) 2016/679, Article 39)

Operator interpretation: Article 39 is a minimum task list, not a suggestion. Your program must (1) assign these tasks to the DPO, (2) integrate the DPO into operational workflows so the tasks can be performed, and (3) keep evidence that the tasks are performed in real situations (projects, incidents, DPIAs, audits, and regulator interactions). (Regulation (EU) 2016/679, Article 39)

What the “tasks” mean in practice (requirement-level):

• Advise/inform the controller/processor and employees of GDPR obligations.
• Monitor compliance with GDPR and internal policies, including training, awareness, and audits.
• Provide advice on DPIAs and monitor DPIA performance.
• Cooperate with the supervisory authority.
• Act as contact point for the supervisory authority on processing issues. (Regulation (EU) 2016/679, Article 39)

(Use the official text for the full list and exact wording.) (Regulation (EU) 2016/679, Article 39)

Plain-English requirement

You need a DPO operating model that works day-to-day:

1. People know when they must engage the DPO.
2. The DPO has a documented way to provide advice, review compliance, and influence outcomes.
3. You can prove it with artifacts, not verbal assurances. (Regulation (EU) 2016/679, Article 39)

A common failure mode is treating the DPO like a mailbox. Article 39 expects an active compliance monitoring and advisory function that touches projects, policies, training, DPIAs, and regulator communications. (Regulation (EU) 2016/679, Article 39)

Who it applies to (entity + operational context)

Applies to: Any organization (controller or processor) that has appointed a DPO, whether because GDPR requires it or as a voluntary governance choice. Article 39 governs the DPO’s tasks once the role exists. (Regulation (EU) 2016/679, Article 39)

Operational contexts where Article 39 becomes “real”:

• New products, new data uses, new regions, or new third parties handling personal data.
• Privacy incidents and data breach response where regulator contact may be required.
• DPIA program execution and risk acceptance decisions.
• Internal audits, control testing, and customer diligence where DPO involvement is asked for. (Regulation (EU) 2016/679, Article 39)

Scope clarity is non-negotiable. If you cannot state whether you are acting as controller or processor for a processing activity, you will struggle to show the DPO’s advice and monitoring were properly directed. Maintain a role-and-scope register anchored to systems, data categories, and processing purposes. (Regulation (EU) 2016/679, Article 39)

What you actually need to do (step-by-step)

1) Build a “DPO task charter” mapped to Article 39

Create a one-page charter that lists each Article 39 task and defines:

• Deliverables (e.g., written advice memo, DPIA review notes, audit report, training plan).
• Triggers (e.g., “new third party with access to production personal data,” “new monitoring technology,” “material change to lawful basis”).
• Inputs required from the business (architecture diagrams, data flow, retention schedule).
• Decision rights (advisory vs approval) and escalation path. (Regulation (EU) 2016/679, Article 39)

Practical control: keep this charter version-controlled and approved by the accountable executive (often the CEO/GC/CCO depending on structure).

2) Create DPO engagement “front doors” (intake workflows)

You need lightweight, repeatable ways for teams to engage the DPO:

• Project/Change intake: privacy-by-design review gate in SDLC or procurement.
• DPIA intake: a form that collects processing description, necessity/proportionality, risks, and mitigations for DPO advice.
• Incident intake: a path for security/IR to bring the DPO into privacy incidents and regulator communications.
• Regulator communications log: single channel for inbound/outbound supervisory authority contact. (Regulation (EU) 2016/679, Article 39)

If you run a GRC tool (including Daydream), implement these as structured workflows with required fields and automated evidence capture (timestamps, approvers, attachments). Keep it boring and consistent.

3) Operationalize “monitor compliance” as a real testing cadence

Translate “monitor compliance” into measurable activities:

• Policy monitoring: test whether teams follow key privacy procedures (DSAR handling, retention, access control requests).
• Control monitoring: sample checks on processing records, third-party DPIAs/assessments, and data mapping updates.
• Audit support: periodic internal audits that produce findings, owners, and remediation tracking.
• Training and awareness: role-based training for high-risk roles (engineering, marketing, customer support, HR). (Regulation (EU) 2016/679, Article 39)

Tie this to your enterprise GRC plan so Article 39 isn’t a side project. If you use a 3-lines model, the DPO typically sits in the second line with advisory/monitoring responsibilities.

4) Make DPIA advice and follow-through auditable

For DPIAs, Article 39 expects the DPO to advise and to be involved in monitoring the DPIA process. (Regulation (EU) 2016/679, Article 39)

Minimum operationalization:

• Define when a DPIA is required in your internal procedure.
• Require documented DPO advice as part of DPIA completion (commentary, recommendations, risks).
• Track outcomes: accepted mitigations, residual risk sign-off, and go-live conditions.
• Link DPIA to system inventory and records of processing activities where you maintain them. (Regulation (EU) 2016/679, Article 39)

5) Establish supervisory authority cooperation + contact point mechanics

Even if contact with regulators is rare, you must be ready:

• Designate a single communications owner (often the DPO, supported by Legal/Compliance).
• Maintain a correspondence register with dates, subject, decision notes, and attachments.
• Pre-approve templates for common notices and information requests.
• Run tabletop exercises that include the DPO in regulator-contact scenarios. (Regulation (EU) 2016/679, Article 39)

6) Create the “Article 39 evidence packet” and refresh it routinely

Audits and customer due diligence move faster when you can hand over a clean packet:

• DPO charter + org chart position
• Role-and-scope register (controller/processor per activity)
• DPO annual plan (monitoring, audits, training)
• DPIA log with DPO advice artifacts
• Training completion exports and content outline
• Audit reports and remediation tracker
• Regulator contact log (even if “no contact” with attestation) (Regulation (EU) 2016/679, Article 39)

The goal is repeatability. Build the packet once; refresh it on a consistent cadence.

Required evidence and artifacts to retain

Use this as your retention checklist (store in a system that preserves version history):

• DPO task charter mapped to Article 39 tasks. (Regulation (EU) 2016/679, Article 39)
• Role-and-scope register: controller vs processor determination, affected systems, data categories, and key third parties. (Regulation (EU) 2016/679, Article 39)
• Operating procedure: intake triggers, routing rules, approvals, and escalations. (Regulation (EU) 2016/679, Article 39)
• Advice records: memos, email decisions captured to ticket, meeting minutes with decisions.
• Compliance monitoring outputs: audit plans, test scripts, sample results, findings, remediation evidence.
• Training program records: curriculum, attendance/completion, role mapping.
• DPIA artifacts: completed DPIAs, DPO advice, mitigation tracking, residual risk sign-off.
• Supervisory authority log: inbound/outbound correspondence, deadlines, response packages. (Regulation (EU) 2016/679, Article 39)

Common exam/audit questions and hangups

Auditors and regulators tend to ask:

• “Show me the DPO’s defined tasks and how they map to Article 39.” (Regulation (EU) 2016/679, Article 39)
• “How does the DPO monitor compliance? Provide recent outputs.”
• “Give examples of DPO advice on real initiatives (product launch, new third party, new analytics).”
• “Show DPO involvement in DPIAs and evidence recommendations were considered.” (Regulation (EU) 2016/679, Article 39)
• “How do employees know when to involve the DPO?”
• “Who contacts the supervisory authority, and where is it documented?” (Regulation (EU) 2016/679, Article 39)

Hangups you can preempt:

• Missing written advice (only verbal consults).
• No central log of DPO engagement across projects.
• DPIAs exist, but DPO advice is absent or generic.
• “Monitoring” is described but not evidenced with test results and remediation.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
DPO tasks buried in a job description	Job descriptions rarely show operational execution	Create a DPO task charter with deliverables and triggers. (Regulation (EU) 2016/679, Article 39)
DPO is engaged only after launch	Advice and DPIA input arrive too late to influence risk	Add SDLC/procurement gates and a clear intake form.
No role clarity (controller vs processor)	The DPO can’t tailor advice or monitoring	Maintain a role-and-scope register tied to systems and third parties.
“Monitoring” equals ad hoc check-ins	Audits expect repeatable testing and records	Define a monitoring plan, record tests, track remediation.
Regulator communications handled informally	Deadlines and messaging become inconsistent	Keep a regulator contact log and route communications through a controlled channel. (Regulation (EU) 2016/679, Article 39)

Enforcement context and risk implications

No public enforcement case sources were provided in the source catalog for this page, so this section is limited to operational risk.

Risk implications if you cannot evidence Article 39 tasks:

• Regulatory defensibility risk: you may be unable to show that the DPO function is active and effective. (Regulation (EU) 2016/679, Article 39)
• Program risk: DPIAs, privacy-by-design reviews, and training become inconsistent across teams, which increases the chance of unmanaged processing changes.
• Third-party diligence risk: enterprise customers often ask for proof of DPO responsibilities, DPIA governance, and compliance monitoring outputs.

Practical 30/60/90-day execution plan

Exact timelines vary; use this as a phased plan rather than a promise.

Days 0–30: Establish structure and intake

• Draft and approve the DPO task charter mapped to Article 39. (Regulation (EU) 2016/679, Article 39)
• Stand up intake workflows for project reviews, DPIAs, incidents, and regulator communications.
• Build the first version of the role-and-scope register (controller/processor, systems, data categories, key third parties).

Days 31–60: Start producing monitoring outputs

• Publish the DPO operating procedure with triggers and handoffs.
• Launch training and awareness for teams that frequently change processing (engineering, product, security, marketing).
• Execute the first compliance monitoring cycle (small scope) and open remediation items in your tracking system.

Days 61–90: Make it repeatable and auditable

• Standardize DPIA workflow to require documented DPO advice and closure criteria. (Regulation (EU) 2016/679, Article 39)
• Create the recurring Article 39 evidence packet and set a refresh cadence.
• Run a tabletop scenario that includes supervisory authority contact mechanics and document lessons learned. (Regulation (EU) 2016/679, Article 39)

Daydream fit (earned, practical): If your team is managing DPO tasks in email and shared drives, Daydream can centralize intakes, evidence packets, and recurring monitoring outputs so audits stop becoming a document chase.

Frequently Asked Questions

Does Article 39 apply if we voluntarily appointed a DPO?

Yes. If you have a DPO, Article 39 defines minimum tasks the DPO must perform. You should still document the task charter and keep evidence of execution. (Regulation (EU) 2016/679, Article 39)

What is the minimum evidence an auditor will accept for “monitor compliance”?

Provide dated monitoring outputs: an audit/test plan, samples checked, findings, and remediation tracking. Pair it with proof of training and policy monitoring tied to real processes. (Regulation (EU) 2016/679, Article 39)

How do we prove the DPO “advised” on a DPIA without creating bureaucracy?

Require one written DPO comment block in the DPIA record: key risks, recommended mitigations, and whether residual risk is acceptable. Store it in the DPIA log so it’s retrievable. (Regulation (EU) 2016/679, Article 39)

Can Legal own regulator communications while the DPO is the contact point?

Yes in practice, but document the workflow. Keep a regulator correspondence log and define who drafts, who approves, and how the DPO is involved as the contact point for processing issues. (Regulation (EU) 2016/679, Article 39)

We have multiple business units. Do we need separate Article 39 procedures?

You need one standard operating model plus scoped variations for high-risk units. The key is consistent triggers, a central evidence approach, and a unified log of DPO engagement across units. (Regulation (EU) 2016/679, Article 39)

What should we do if the DPO gives advice that leadership does not follow?

Record the advice, the decision, and the rationale, then track any compensating controls. Article 39 focuses on the DPO’s tasks and ability to advise and monitor; the audit risk comes from missing records and unmanaged residual risk. (Regulation (EU) 2016/679, Article 39)