DPO As A Service

Data Protection & Security Experts

Deontology of the data protection officer

The DPO is subject to professional secrecy and has access to all systems where personal data may have been stored. The DPO provides information and advice within the organisation on GDPR.

The DPO works independently and does not perform any other functions in the company. this is to eliminate conflicts of interest in the case of a dispute.

the Group 29 (currently known as EDPB) has stated that the DPO must never hold a position that requires him or her to determine the purposes or means of processing personal data. In other words, the DPO may not exercise any decision-making power within a company.

The DPO answers questions from data subjects, is listed on the controller’s website and can be contacted using a separate DPO e-mail address within the organisation.

The DPO works under his/her own authority and reports to the most senior manager(s).


A DPO is an expert in data protection and verifies that your company processes all personal data correctly according to GDPR legislation.

Therefore, the DPO’s main task is to provide recommendation  regarding the preparation of a legal and IT GDPR file for an organisation. 

As a professional, the DPO will provide assistance in the preparation of a register of processing, an information security policy, in the drafting of privacy statements. In addition, the DPO can also conduct an internal audit.


Article 37 of the GDPR states that the appointment of a DPO is mandatory in the following specific cases:

  • Data processing is carried out by a public authority or public body, regardless of the data they process, except in the case of courts in the exercise of their judicial functions; (37.1(a));
  • The core tasks of the controller or processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic observation on a large scale of data subjects; (37.1(b));
  • The core tasks of the controller or processor consist of large-scale processing of special categories of data under Article 9 and of personal data relating to criminal convictions and offences referred to in Article 10 (37.1(c)).
  • Belgian national law adds as a fourth category: anyone processing data on behalf of the Federal Government. Those wishing to compete for data-related tenders will therefore also have to appoint a DPO. 

If your organisation does not fall under one of these categories, it may be useful to voluntarily appoint a DPO to improve GDPR compliance and avoid the occurrence of a data leak.