What is a Data Protection Officer (DPO)?

The Data Protection Officer (DPO) (Dutch: Functionaris voor Gegevensbescherming, FG) is the in-house GDPR overseer — an independent bridge between management, staff, data subjects, and the Dutch DPA. Mandatory in 3 cases (GDPR Art. 37): (1) public bodies (except courts), (2) organisations doing large-scale + systematic monitoring of data subjects (think: webshop with millions of customers, telecom, social media), (3) organisations processing special category or criminal data at scale (hospitals, mental health, schools, prison system). Tasks (Art. 39): inform + advise on GDPR obligations, monitor compliance, advise on DPIAs, liaise with DPA, handle inquiries from data subjects exercising their rights. Independence is mandatory (Art. 38) — DPO may not be instructed on how to perform tasks, may not be fired for DPO work, must have free access to leadership. Who can be DPO? Someone with "expert knowledge of privacy law and practice". May be internal or external. Smaller organisations often choose external DPO-as-a-service (typically €500-€2,500/month). May hold another role provided no conflict of interest — e.g. not marketing director, but HR with privacy portfolio is fine. Contact DPO as a consumer: every DPO-bound organisation must publish contact details — usually in the privacy statement (often: dpo@company.nl or privacy@company.nl). Send your access, erasure, or complaint requests here. Fine for not having a DPO when required: Art. 83(4), up to €10m / 2% turnover.