The General Data Protection Regulation (GDPR) fundamentally reshaped how organizations handle personal data within the European Union and beyond. While many articles of the GDPR focus on legal bases, consent, or data subject rights, Article 39 plays a uniquely practical role. It defines what a Data Protection Officer (DPO) is actually expected to do on a daily basis.
Article 39 does not describe abstract principles. Instead, it sets out clear operational duties that turn GDPR compliance from theory into practice. Understanding this article is essential not only for appointed DPOs, but also for company executives, compliance officers, HR managers, IT teams, and anyone involved in data governance.
This article explains GDPR Article 39 in depth, breaks down each obligation, and illustrates how these duties work in real organizational contexts through five detailed examples.
What Is GDPR Article 39?
GDPR Article 39 defines the core tasks of the Data Protection Officer. If Article 37 explains when a DPO must be appointed, and Article 38 explains how the DPO should be positioned within the organization, Article 39 explains what the DPO must actually do.
In simple terms, Article 39 establishes the DPO as:
-
An internal advisor on data protection law
-
A monitor of GDPR compliance
-
A trainer and awareness leader
-
A risk assessor for data processing
-
A point of contact with supervisory authorities
The article makes it clear that a DPO is not merely a symbolic role. The DPO must be actively involved in shaping data protection culture, policies, and operational decisions.
The Core Responsibilities Under GDPR Article 39
Article 39 outlines five main responsibilities. Each one is interconnected, and none can be ignored without weakening overall compliance.
1. Informing and Advising the Organization
One of the DPO’s primary responsibilities is to inform and advise the controller or processor and their employees about GDPR obligations.
This duty goes beyond simply interpreting the law. The DPO must translate legal requirements into practical, understandable guidance for different departments. Legal jargon alone is not sufficient; advice must be actionable.
For example, HR teams need guidance on employee data, marketing teams on consent and profiling, and IT teams on security and access control. The DPO acts as the bridge between regulation and real-world operations.
Importantly, this advisory role is continuous. GDPR compliance is not a one-time project but an ongoing process affected by new technologies, business models, and regulatory interpretations.
2. Monitoring Compliance with the GDPR
Article 39 explicitly assigns the DPO responsibility for monitoring compliance with the GDPR and with internal data protection policies.
This includes:
-
Reviewing internal procedures
-
Auditing data processing activities
-
Assessing whether policies are followed in practice
-
Checking documentation such as records of processing activities
-
Ensuring lawful bases are correctly applied
Monitoring does not mean policing employees in a punitive way. Instead, it involves identifying weaknesses early, recommending improvements, and ensuring that data protection is embedded into everyday workflows.
A critical aspect here is risk-based thinking. The DPO must focus attention on processing activities that pose higher risks to individuals, such as large-scale profiling, health data processing, or biometric identification.
3. Raising Awareness and Training Staff
GDPR Article 39 specifically mentions awareness-raising and training as a core task. This highlights the fact that compliance is not achieved through policies alone, but through people.
Human error remains one of the leading causes of data breaches. Employees who do not understand data protection principles can unintentionally expose personal data through phishing attacks, misdirected emails, or improper system access.
The DPO is responsible for:
-
Developing training programs
-
Tailoring training to different roles
-
Ensuring onboarding includes data protection awareness
-
Promoting a culture of privacy and accountability
Training under Article 39 should be ongoing, not a one-off presentation. As threats and regulations evolve, staff knowledge must evolve with them.
4. Advising on Data Protection Impact Assessments (DPIAs)
Another critical responsibility under Article 39 is advising on Data Protection Impact Assessments.
A DPIA is required when processing is likely to result in a high risk to individuals’ rights and freedoms. The DPO must help determine:
-
Whether a DPIA is required
-
How the DPIA should be conducted
-
What risks exist
-
Which mitigation measures are appropriate
The DPO does not own the DPIA decision but must provide expert input. Their advice should be documented, especially if the organization chooses to proceed against that advice.
This function places the DPO at the center of innovation projects involving personal data, ensuring privacy risks are addressed before harm occurs.
5. Acting as a Contact Point for Supervisory Authorities
Article 39 also designates the DPO as a contact point for data protection authorities.
This includes:
-
Cooperating with regulators
-
Facilitating inspections or audits
-
Responding to inquiries
-
Acting as a liaison during investigations
The DPO must be accessible, knowledgeable, and independent when interacting with authorities. This role reinforces trust between organizations and regulators and can significantly reduce enforcement risks when handled properly.
Independence and Professional Judgment
Although independence is formally addressed in Article 38, Article 39 assumes that the DPO exercises professional judgment when carrying out tasks.
The DPO must not merely rubber-stamp management decisions. If the DPO identifies non-compliance or high risks, they are expected to raise concerns, even if this is inconvenient for the organization.
This independence protects both the organization and data subjects. It ensures that compliance decisions are not driven solely by commercial pressure.
Five Practical Examples of GDPR Article 39 in Action
To understand how Article 39 works in practice, consider the following real-world scenarios.
Example 1: GDPR Training in a Mid-Sized E-Commerce Company
A mid-sized e-commerce company processes thousands of customer orders daily. Personal data flows through marketing systems, payment platforms, and logistics providers.
The DPO notices an increase in phishing incidents targeting customer service staff. In response, they design a tailored training program focused on:
-
Recognizing phishing emails
-
Proper identity verification before disclosing customer data
-
Secure handling of refund requests
The DPO conducts workshops, creates internal guidance, and follows up with simulated phishing tests. As a result, incident rates decrease significantly.
This example illustrates Article 39’s requirement for awareness-raising and training, directly reducing data protection risks.
Example 2: Monitoring HR Data Processing in a Corporate Group
A corporate group operates across several EU countries and processes employee data centrally. The DPO performs an internal audit and discovers inconsistent retention periods for employee records.
Some departments retain data far longer than necessary, creating unnecessary compliance risks. The DPO advises on harmonized retention schedules and works with HR to implement automatic deletion rules.
This demonstrates Article 39’s monitoring function, ensuring that internal practices align with GDPR principles like data minimization and storage limitation.
Example 3: Advising on a New AI-Based Recruitment Tool
A company plans to introduce an AI-powered recruitment system that analyzes candidate behavior and personality traits.
The DPO reviews the proposal and identifies potential risks related to profiling, discrimination, and transparency. They advise conducting a DPIA, recommend limiting data categories used, and suggest clear candidate disclosures.
Management adjusts the project based on this advice, reducing legal and ethical risks before launch.
This example highlights the DPO’s advisory role in DPIAs under Article 39.
Example 4: Cooperation with a Supervisory Authority After a Data Breach
A SaaS provider experiences a security incident involving unauthorized access to user accounts. The DPO coordinates communication with the supervisory authority, providing timely and accurate information.
They explain mitigation measures, assist in breach notification assessments, and respond to follow-up questions. Because of transparency and cooperation, enforcement consequences are minimized.
This scenario demonstrates Article 39’s requirement to act as a contact point and cooperate with regulators.
Example 5: Embedding Privacy by Design in Product Development
A mobile app company introduces a new feature that tracks user behavior for personalization. The DPO is involved early in development meetings.
They advise minimizing data collection, anonymizing analytics where possible, and offering user control over tracking settings. These measures are incorporated before release.
This proactive involvement reflects Article 39’s advisory and monitoring duties, ensuring privacy by design rather than reactive fixes.
Why GDPR Article 39 Matters for Organizations
Article 39 is often underestimated because it does not impose direct fines or technical requirements. However, it is one of the most important articles for practical compliance.
Without a properly functioning DPO fulfilling Article 39 duties:
-
Policies remain theoretical
-
Staff misunderstand obligations
-
Risks go unnoticed
-
Regulators lose trust
-
Breaches become more likely
Conversely, organizations that empower their DPOs under Article 39 often achieve stronger compliance, faster incident response, and greater customer trust.
Common Misunderstandings About Article 39
One common misconception is that the DPO is personally responsible for GDPR compliance. In reality, responsibility always remains with the controller or processor. The DPO advises and monitors but does not replace accountability.
Another misunderstanding is treating the DPO as a legal formality. Article 39 makes it clear that the DPO must be actively involved, visible, and adequately resourced.
Final Thoughts on GDPR Article 39
GDPR Article 39 transforms data protection from a legal checklist into an organizational function. It defines the DPO as an educator, advisor, risk manager, and trusted intermediary.
Organizations that truly respect Article 39 do not see GDPR as a burden, but as a framework for responsible data governance. By empowering the DPO and integrating their advice into daily operations, companies can reduce risk, enhance transparency, and build lasting trust with individuals and regulators alike.